Issue #4870 has been updated by John Florian. Status changed from Closed to Re-opened Affected Puppet version set to 2.6.12
I've seen this too and right now it's very repeatable for me. I have 2.6.12 on both the puppet master and the client. The client is Fedora 16 and the server is Fedora 15. In older releases, it would seem that puppet would randomly fail to set the SEL context. Eventually it would sort itself out though. Now it just seems to fail all the time. ---------------------------------------- Bug #4870: Puppet reports that SELinux attributes have been set when they have not. https://projects.puppetlabs.com/issues/4870 Author: Jon Swanson Status: Re-opened Priority: Normal Assignee: Category: Target version: Affected Puppet version: 2.6.12 Keywords: selinux Branch: SELinux outputs the following types of messages: debug: //puppet-master-dirstructure/File[/var/lib/puppet-master]: Changing seluser,seltype debug: //puppet-master-dirstructure/File[/var/lib/puppet-master]: 2 change(s) notice: //puppet-master-dirstructure/File[/var/lib/puppet-master]/seluser: seluser changed 'unconfined_u' to 'system_u' notice: //puppet-master-dirstructure/File[/var/lib/puppet-master]/seltype: seltype changed 'var_lib_t' to 'puppet_var_lib_t' debug: Time for triggering 2 events to edges: 0.00911283493041992 info: //puppet-master-dirstructure/File[/var/lib/puppet-master]: Evaluated in 0.25 seconds debug: //puppet-master-dirstructure/File[/var/lib/puppet-master/client_yaml]: Changing seluser,seltype debug: //puppet-master-dirstructure/File[/var/lib/puppet-master/client_yaml]: 2 change(s) notice: //puppet-master-dirstructure/File[/var/lib/puppet-master/client_yaml]/seluser: seluser changed 'unconfined_u' to 'system_u' notice: //puppet-master-dirstructure/File[/var/lib/puppet-master/client_yaml]/seltype: seltype changed 'var_lib_t' to 'puppet_var_lib_t' debug: Time for triggering 2 events to edges: 0.00410819053649902 info: //puppet-master-dirstructure/File[/var/lib/puppet-master/client_yaml]: Evaluated in 0.23 seconds debug: //puppet-master-dirstructure/File[/var/lib/puppet-master/ssl]: Changing seluser,seltype debug: //puppet-master-dirstructure/File[/var/lib/puppet-master/ssl]: 2 change(s) notice: //puppet-master-dirstructure/File[/var/lib/puppet-master/ssl]/seluser: seluser changed 'unconfined_u' to 'system_u' notice: //puppet-master-dirstructure/File[/var/lib/puppet-master/ssl]/seltype: seltype changed 'var_lib_t' to 'puppet_var_lib_t' debug: Time for triggering 2 events to edges: 0.00802206993103027 ...continues... However, the files remain unchanged: [root@puppet tmp]# ls -Z /var/lib/puppet-master/ drwxr-x---. puppet puppet unconfined_u:object_r:var_lib_t:s0 bucket drwxrws---. puppet puppet unconfined_u:object_r:var_lib_t:s0 clientbucket drwxrws---. puppet puppet unconfined_u:object_r:var_lib_t:s0 client_yaml drwxrws---. puppet puppet unconfined_u:object_r:var_lib_t:s0 lib drwxrws---. puppet puppet unconfined_u:object_r:var_lib_t:s0 rrd drwxrwx--x. puppet puppet unconfined_u:object_r:var_lib_t:s0 ssl drwxr-xr-t. puppet puppet unconfined_u:object_r:var_lib_t:s0 state Crude stracing seems to show that puppet does not even attempt to change the attributes, despite checking the selinux attributes multiple times: [root@puppet tmp]# strace -o strace.log -ff puppetd --no-daemonize --debug ... [root@puppet tmp]# grep puppet-master/bucket * | grep xattr strace.log:lgetxattr("/var/lib/puppet-master/bucket", "security.selinux", "unconfined_u:object_r:var_lib_t:s0", 255) = 35 strace.log:lgetxattr("/var/lib/puppet-master/bucket", "security.selinux", "unconfined_u:object_r:var_lib_t:s0", 255) = 35 strace.log:lgetxattr("/var/lib/puppet-master/bucket", "security.selinux", "unconfined_u:object_r:var_lib_t:s0", 255) = 35 strace.log:lgetxattr("/var/lib/puppet-master/bucket", "security.selinux", "unconfined_u:object_r:var_lib_t:s0", 255) = 35 strace.log.9315:lgetxattr("/var/lib/puppet-master/bucket", "security.selinux", "unconfined_u:object_r:var_lib_t:s0", 255) = 35 strace.log.9315:lgetxattr("/var/lib/puppet-master/bucket", "security.selinux", "unconfined_u:object_r:var_lib_t:s0", 255) = 35 strace.log.9315:lgetxattr("/var/lib/puppet-master/bucket", "security.selinux", "unconfined_u:object_r:var_lib_t:s0", 255) = 35 strace.log.9315:lgetxattr("/var/lib/puppet-master/bucket", "security.selinux", "unconfined_u:object_r:var_lib_t:s0", 255) = 35 I'm assuming here that any attempts to actually change the selinux attributes will result in a call to 'setxattr', similar to the 'chcon' command. This may be related to http://projects.puppetlabs.com/issues/3984 However, in this case puppet actually **should** be changing the selinux attributes, but is failing to. (Manually setting the attributes via 'chcon' works with no problems) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
