Issue #18896 has been reported by Hans Lellelid.
----------------------------------------
Bug #18896: Puppet cron type changes selinux context for /var/spool/cron/root
https://projects.puppetlabs.com/issues/18896
Author: Hans Lellelid
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Affected Puppet version: 2.7.11
Keywords: cron selinux spool
Branch:
For context, we are running CentOS 5.8 with a strict selinux policy (not
targeted). In this environment, once Puppet has updated root's crontab, root
can no longer edit/list the crontab:
{{{
shell# crontab -l
cron/root: Permission denied
}}}
An AVC deny message is logged. Deeper investigation points to the fact that
puppet is changing the file context on /var/spool/cron/root.
Before puppet has modified the file:
{{{
shell# ls -Z /var/spool/cron/root
-rw------- root root root:object_r:sysadm_cron_spool_t /var/spool/cron/root
}}}
After puppet has modified the file the default context for that dir is applied:
{{{
-rw------- root root root:object_r:cron_spool_t /var/spool/cron/root
}}}
Manually changing the context (chcon) after Puppet modifies the file fixes the
issue, but obviously is a workaround.
{{{
shell# chcon -t sysadm_cron_spool_t /var/spool/cron/root
}}}
(I do not know whether this issue is more general than root's crontab.)
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
