Issue #18896 has been updated by Charlie Sharpsteen. Category set to SELinux
---------------------------------------- Bug #18896: Puppet cron type changes selinux context for /var/spool/cron/root https://projects.puppetlabs.com/issues/18896#change-89065 * Author: Hans Lellelid * Status: Unreviewed * Priority: Normal * Assignee: * Category: SELinux * Target version: * Affected Puppet version: 2.7.11 * Keywords: cron selinux spool * Branch: ---------------------------------------- For context, we are running CentOS 5.8 with a strict selinux policy (not targeted). In this environment, once Puppet has updated root's crontab, root can no longer edit/list the crontab: {{{ shell# crontab -l cron/root: Permission denied }}} An AVC deny message is logged. Deeper investigation points to the fact that puppet is changing the file context on /var/spool/cron/root. Before puppet has modified the file: {{{ shell# ls -Z /var/spool/cron/root -rw------- root root root:object_r:sysadm_cron_spool_t /var/spool/cron/root }}} After puppet has modified the file the default context for that dir is applied: {{{ -rw------- root root root:object_r:cron_spool_t /var/spool/cron/root }}} Manually changing the context (chcon) after Puppet modifies the file fixes the issue, but obviously is a workaround. {{{ shell# chcon -t sysadm_cron_spool_t /var/spool/cron/root }}} (I do not know whether this issue is more general than root's crontab.) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
