Tom,
It seems like having that as a parameter in the service type might be a
good idea worthy of at least some further discussion. Want to open a
feature request in Redmine to track it? I might (eventually) take a stab
at adding support for it.
Sean
On Wed, 2012-10-10 at 09:01 +0100, Tom wrote:
> Well, I've decided on a very simple way of doing this,
>
> # Keep it running
> service { "mysqld":
> ensure => "running",
> start => "runcon -u system_u /etc/init.d/mysqld start",
> hasrestart => "false",
> require => [ Package["mysql-server"], File[$mysqldirs], ],
> }
>
> so, it starts under the correct selinux user context, and then using
> restart on the init script is disabled so that it makes use of the start
> command when doing a restart.
>
> Not sure if this would be something that would make a good resource flag?
>
> Many thanks. Tom.
>
>
>
> On 10/10/12 07:55, Tom wrote:
> > Hi,
> >
> > Thanks for the response. Really, I think the way I'm approaching this
> > is thinking about starting mysqld under the right selinux user context
> > so that it doesn't label its own files incorrectly. Every time a
> > database or table is created, MySQL will be creating it under the
> > wrong user context, and selinux will then go and reset it back.
> >
> > I think maybe a wrapper script using runcon which invokes the mysqld
> > service under the correct context is going to be the way to go.
> > Really though, I'd hoped that puppet had some kind of provision for
> > starting services with the correct user context!
> >
> > Just wondering if anyone else has had the same issue in the past, or
> > do they just ignore all those seluser notifications? :-)
> >
> > Many thanks. Tom.
> >
> >
> >
> > On 10/10/12 01:50, Peter Brown wrote:
> >> You need to add a require to the service for the config files you are
> >> managing.
> >> I find the best way to do that is put all the config files in a config
> >> subclass and then require that in in the service.
> >>
> >>
> >> On 10 October 2012 01:02, Tom<[email protected]> wrote:
> >>> Hi list,
> >>>
> >>> I've got an issue at the moment, which isn't really a big problem,
> >>> but an
> >>> untidy annoyance really, and I'd just like to understand what the best
> >>> practice might be when dealing with the issue.
> >>>
> >>> As a really quick summary, the issue is that Puppet is starting up the
> >>> mysqld service for the first time as unconfined_u, and then when
> >>> MySQL goes
> >>> and creates a load of its initial files also as unconfined_u, Puppet
> >>> goes
> >>> and resets them all to system_u which is what they should be when
> >>> checking
> >>> matchpathcon:
> >>>
> >>> The thing is, because the service is started as unconfined_u, any
> >>> databases/tables that are created are going to inherit that, and
> >>> puppet is
> >>> going to be resetting them.
> >>>
> >>> For some more detail, I've written something which will set the
> >>> mysqld_db_t
> >>> selinux file_context on my data directories which are in /home, and
> >>> I have a
> >>> notify which will go and check and re-set the selinux file_context
> >>> if there
> >>> are any changes in these directories. They're set to recurse, so to
> >>> stop
> >>> Puppet changing things from unconfined_u to system_u on a regular
> >>> basis, and
> >>> sending refresh notices to my Exec resources, I've set
> >>> selinux_ignore_defaults to true in my File resources.
> >>>
> >>> This strikes me as a bit of a dirty way of doing things, and I was
> >>> wondering
> >>> if anyone had any better ideas of how to manage this.
> >>>
> >>> Please find below a sample of the relevant code - because I'm sure my
> >>> verbose description is probably leaving some people scratching their
> >>> heads!
> >>> :) I was going to make the file_context stuff much more re-usable,
> >>> but want
> >>> to get my head around the best practices first - as I'm not that
> >>> experiened
> >>> with all of this stuff to be honest!
> >>>
> >>> Many thanks. Tom.
> >>>
> >>>
> >>> # List of directories we're going to use with MySQL
> >>> $mysqldirs = [ "/home/data", "/home/logs", "/home/mysqltmp", ]
> >>>
> >>> # Set SELinux contexts
> >>> define add_selinux_context ($context = "mysqld_db_t") {
> >>> file { $name:
> >>> ensure => "directory",
> >>> owner => "mysql",
> >>> group => "mysql",
> >>> seltype => "mysqld_db_t",
> >>> selinux_ignore_defaults => "true",
> >>> recurse => "true",
> >>> require => Package["mysql-server"],
> >>> notify => [ Exec["add_file_context_${context}_${name}"],
> >>> Exec["set_file_context_${context}_${name}"], ],
> >>> }
> >>>
> >>> # Set the default file_context regex for the path
> >>> exec { "add_file_context_${context}_${name}":
> >>> command => "semanage fcontext -a -t ${context}
> >>> \"${name}(/.*)?\"",
> >>> unless => "semanage fcontext -l | grep
> >>> '^${name}(/.*)?:${context}:'",
> >>> require => [ Package["policycoreutils-python"], File[$name], ],
> >>> refreshonly => "true",
> >>> }
> >>>
> >>> # Reset the file_context using restorecon
> >>> exec { "set_file_context_${context}_${name}":
> >>> command => "restorecon -R ${name}",
> >>> unless => "ls -d --scontext ${name} | awk -F: '{print \$3}'
> >>> | grep
> >>> \"${context}\"",
> >>> require => File["$name"],
> >>> refreshonly => "true",
> >>> }
> >>> }
> >>>
> >>> add_selinux_context { $mysqldirs:
> >>> context => "mysqld_db_t",
> >>> }
> >>>
> >>> # Keep it running
> >>> service { "mysqld":
> >>> ensure => "running",
> >>> hasstatus => true,
> >>> require => [ Package["mysql-server"], File[$mysqldirs], ]
> >>> }
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups
> >>> "Puppet Users" group.
> >>> To post to this group, send email to [email protected].
> >>> To unsubscribe from this group, send email to
> >>> [email protected].
> >>> For more options, visit this group at
> >>> http://groups.google.com/group/puppet-users?hl=en.
> >>>
> >
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
