[Puppet Users] Puppet file type - wrong selinux fcontext detected

Mon, 01 Feb 2016 08:34:30 -0800 

Hello,
recently we had trouble with default value for file type 'seltype' 
attribut. Situation:

We have path:
/srv/e/p/a/xxx

For /srv/ selinux context:
/srv/.* all files system_u:object_r:var_t:s0 

For /srv/e/p/a/xx selinux context:
/srv/e/p/a/xxx(/.*)? all files 
system_u:object_r:prod_secmon_ceres_config_t:s0
 
We are managing file.txt under the /srv/e/p/a/xxx directory, We are not 
setting the value for  seltype attribure - therefore default is used.
file { ''/srv/e/p/a/xxx/file.txt":
  ensure =>file,
  content => ...,
  ...
}

According to the doc, matchpathcon is used, when the seltype attribute is 
not specified.

matchpathcon /srv/e/p/a/xxx//test.txt 
/srv/e/p/a/xxx/test.txt system_u:object_r:prod_secmon_ceres_config_t:s0

Problem is that puppet keep setting the seltype attribute for the file.txt 
to var_t instead of prod_secmon_ceres_config_t.

I checked the puppet code, there is no seltype attribut for the whole 
environment at all.
I checked the catalog JSON file - no seltype is set.

When I run locally puppet apply just with single file resource - the 
selinux context is ok. 
Also, when I run exec with  matchpathcon /srv/e/p/a/xxx//test.txt > 
/tmp/match.log within the same puppet run, I have correct fcontext in 
match.log, but the fcontext of test.txt is still set to var_t.
Also, when I manually change the fcontext of test.txt to something else, 
puppet sets it back to var_t.
And finally restorecon set the right context prod_secmon_ceres_config_t for 
that file. 

The only help in this situation was the restart of puppet agent on the 
servers - and not all serveres in the env were affected.

Anybody else have experienced this kind of behavior ? Is there any kind of 
cache mechanism involved ?

We are running version 3.8.1 of puppet enterprise agent (and 3.6.x server, 
but i think, this is problem on the agent side).

Thank,
H.Karasek



 


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6246481e-20cd-4872-bace-08fe0c8442a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to