Am Montag, 30. November 2015 18:15:59 UTC+1 schrieb Remy: > > Hi, > > We moved from 3.1 to 3.8 and we faced some warnings regarding SELinux all > of the sudden: > > Nov 30 14:48:22 nodename puppet-agent[9865]: Failed to set SELinux context > system_u:object_r:usr_t:s0 on /usr/sap/home/username > Nov 30 14:48:22 nodename puppet-agent[9865]: > (/File[/usr/sap/home/username]/seltype) seltype changed 'nfs_t' to 'usr_t' >
what's the ouptput of: matchpathcony=a+bsin(c+dx)matchpathcon matchpathcon /usr/sap/home/username y=a+bsin(c+dx) if selinux is enabled (permissive or enforcing) puppet tries to set the default selinux context on a managed file resource. https://docs.puppetlabs.com/references/latest/type.html#file-attribute-seltype for a local additon of the file context you could run: semanage fcontext --add --type nfs_t /usr/sap/home(/.*)? (I suspect /usr/sap/home is nfs mounted?) afterwards the matchpathcon should then return system_u:object_r:nfs_t:s0 sometimes I can see that a running already puppet service does not know about updated selinux file contexts - and tries to set the old context. restarting puppet service helps here. - Thomas PS: if you wanted to have the same permissions for /usr/sap/home as for /home selinux-wise you could run semanage fcontext -a -e /home /usr/sap/home but I don't know if this applies to you. This equivalence feature is not very well known altough introduced in 2009 (http://danwalsh.livejournal.com/27571.html) and is very usefull. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/22a5fc47-2cc0-4df3-a407-9580ac83c7ad%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
