Jira (PUP-8477) selinux types are being set on every run
Title: Message Title John Duarte updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: John Duarte QA Risk Assessment: Needs Assessment No Action Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.237580.1519162299000.9188.1571669702079%40Atlassian.JIRA.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title
Tim Skirvin commented on PUP-8477
Re: selinux types are being set on every run
Hmm. This didn't solve all of my problems, I'm still seeing on my host testing 5.5.0:
k5login { '/root/.k5login': principals => unique(sort($princs)), mode => '600' }
-> file { '/root/.k5login': seltype => 'krb5_home_t' }
Notice: /Stage[main]/P_krb5::K5login::Root/K5login[root .k5login]/seluser: seluser changed 'system_u' to 'user_u' Notice: /Stage[main]/P_krb5::K5login::Root/File[/root/.k5login]/seluser: seluser changed 'user_u' to 'system_u' {/code} Note that I'm not setting `user_u` or `system_u` anywhere in my code base; selinux is disabled on the host; and
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Kris Bosland commented on PUP-8477 Re: selinux types are being set on every run Tested: On the new code, no extra notices are given: # bundle exec puppet apply ../test.pp Notice: Compiled catalog for uc4gb43ewmda9cm.delivery.puppetlabs.net in environment production in 0.03 seconds Notice: Applied catalog in 0.02 seconds On the old code (SHA 3b048b23e, no existing branch has the buggy code), extra notices are given: # bundle exec puppet apply ../test.pp Notice: Compiled catalog for uc4gb43ewmda9cm.delivery.puppetlabs.net in environment production in 0.03 seconds Notice: /Stage[main]/Main/K5login[/root/.k5login]/seluser: seluser changed to 'user_u' Notice: /Stage[main]/Main/K5login[/root/.k5login]/selrole: selrole changed to 'object_r' Notice: /Stage[main]/Main/K5login[/root/.k5login]/seltype: seltype changed to 'krb5_home_t' Notice: /Stage[main]/Main/K5login[/root/.k5login]/selrange: selrange changed to 's0' Notice: Applied catalog in 0.02 seconds
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Kris Bosland assigned an issue to Kris Bosland Puppet / PUP-8477 selinux types are being set on every run Change By: Kris Bosland Assignee: Kris Bosland Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Eric Delaney assigned an issue to Unassigned Puppet / PUP-8477 selinux types are being set on every run Change By: Eric Delaney Assignee: Kris Bosland Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Melissa Stone updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Melissa Stone Release Notes Summary: If selinux bindings are not available in puppet, we would try to manage a setting but not be able to read in what it was currently set as. This change makes it so that if we do not have selinux bindings, we don't try to check the current setting as we do not have access to it. Release Notes: Bug Fix Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Eric Delaney commented on PUP-8477 Re: selinux types are being set on every run Melissa Stone can you add release notes please? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Eric Delaney commented on PUP-8477 Re: selinux types are being set on every run merged to 5.5.x at https://github.com/puppetlabs/puppet/commit/dd8f95e6d2e7132d0d379de32dadfbdc2d284dd7 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Josh Cooper assigned an issue to Kris Bosland Puppet / PUP-8477 selinux types are being set on every run Change By: Josh Cooper Assignee: Melissa Stone Kris Bosland Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Michael Smith commented on PUP-8477 Re: selinux types are being set on every run This seems somewhat related to PUP-2169. Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Melissa Stone updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Melissa Stone Sprint: Platform Core Hopper KANBAN Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Melissa Stone assigned an issue to Melissa Stone Puppet / PUP-8477 selinux types are being set on every run Change By: Melissa Stone Assignee: Melissa Stone Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Josh Cooper updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Josh Cooper Labels: regression Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Josh Cooper updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Josh Cooper Fix Version/s: PUP 5.5.0 Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Josh Cooper updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Josh Cooper Sprint: Platform Core Hopper Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title
Andreas Ntaflos commented on PUP-8477
Re: selinux types are being set on every run
We observe similar problems on Ubuntu 14.04 and 16.04 using Puppet 5.4.0. SELinux properties are set on every Puppet agent run for the .k5login files we manage. The output of a typical Puppet agent run looks like this:
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/seluser: seluser changed to 'user_u'
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/selrole: selrole changed to 'object_r'
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/seltype: seltype changed to 'krb5_home_t'
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/selrange: selrange changed to 's0'
Notice: Applied catalog in 22.20 seconds
We manage the .k5login files using a profile that looks like this:
class profile::k5login {
$k5login_defaults = lookup('profile::k5login::k5login_defaults', Hash, 'deep', {})
$k5logins = lookup('profile::k5login::k5logins', Hash, 'deep', {})
create_resources('k5login', $k5logins, $k5login_defaults)
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title
Tim Skirvin commented on PUP-8477
Re: selinux types are being set on every run
Yes, that's probably it. We've been using this idiom for years now: k5login { "${basedir}/${name}/.k5login": principals => unique(sort($principals)), } -> {{ file { "${basedir}/${name}/.k5login": seltype => 'krb5_home_t' }}}
Add Comment
This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Josh Cooper commented on PUP-8477 Re: selinux types are being set on every run Tim Skirvin Do your manifests also include k5login resources types? I'm wondering if the file and k5login types are conflicting as both are trying to manage seltype? Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Josh Cooper updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Josh Cooper Sub-team: Coremunity Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Josh Cooper updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Josh Cooper Team: Platform Core Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-8477
selinux types are being set on every run
Change By:
Josh Cooper
*Puppet Version: 5.4.0* *Puppet Server Version:* *OS Name/Version: RHEL 7.4*The handling of selinux file parameters seems to have changed between 5.3.5 and 5.4.0. Specifically, we are managing some .k5login files as type 'krb5_home_t': {code:puppet} file \ { "$ \ {basedir}/$ \ {name}/.k5login": seltype => 'krb5_home_t' } {code} As of when we upgraded to v5.4.0, puppet has been trying to reset the parameters every run, e.g.: {noformat} Feb 20 15:16:50 04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::Automation::User/K5login[/var/lib/foo/.k5login]/seluser) seluser changed to 'user_u'Feb 20 15:16:50 04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::Automation::User/K5login[/var/lib/foo/.k5login]/selrole) selrole changed to 'object_r'Feb 20 15:16:50 04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::Automation::User/K5login[/var/lib/foo/.k5login]/seltype) seltype changed to 'krb5_home_t'Feb 20 15:16:50 04 puppet-agent[99767]: (/Stage[main]/P_puppet_server::Automation::User/K5login[/var/lib/foo/.k5login]/selrange) selrange changed to to 's0' {noformat} Downgrading to 5.3.5 reverts the behavior - e.g. the values are no longer updated every run.Note that selinux is off on these hosts anyway.*Desired Behavior: don't change every run**Actual Behavior: tries to change every run*
Add Comment
This message was sent by Atlassian JIRA
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Josh Cooper commented on PUP-8477 Re: selinux types are being set on every run Thanks Tim Skirvin. This is probably related to PUP-4403, modified in commit https://github.com/puppetlabs/puppet/commit/53c86572aff04d2f7b8ad43a3a9b79d8df6562cf. Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Tim Skirvin updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Tim Skirvin Attachment: debug.txt Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Tim Skirvin commented on PUP-8477 Re: selinux types are being set on every run I have a debug log, but I'm not sure that I should be uploading it publicly. Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Tim Skirvin updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Tim Skirvin Attachment: debug.txt Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title Tim Skirvin updated an issue Puppet / PUP-8477 selinux types are being set on every run Change By: Tim Skirvin Summary: selinux types are not getting being set on every run Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
