Bug #1648
0.24.6RC1 setting selinux permissions even when disabled
| Status: | Closed | Start date: | 10/13/2008 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Sean Millichamp |
% Done: | 0% |
|
| Category: | Red Hat | |||
| Target version: | 0.24.6 | |||
| Affected Puppet version: | Branch: | |||
| Keywords: | ||||
| Votes: | 0 |
Description
Centos 5.1 2.6.18-92.el5 #1 SMP Tue Jun 10 18:51:06 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux.
Selinux running in permissive mode on both client/server
Upgraded client and server from 0.24.5 to 0.24.6RC1 and the following behavior started.
[root@client plugins]# puppetd --test --no-noop notice: Ignoring --listen on onetime run info: Caching catalog at /var/lib/puppet/state/localconfig.yaml notice: Starting catalog run notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/munin::plugins::interfaces/Munin::Plugin[if_eth0]/File[/etc/munin/plugins/if_eth0]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/munin::plugins::interfaces/Munin::Plugin[if_eth0]/File[/etc/munin/plugins/if_eth0]: Scheduling refresh of Service[munin-node] notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[interrupts]/File[/etc/munin/plugins/interrupts]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[interrupts]/File[/etc/munin/plugins/interrupts]: Scheduling refresh of Service[munin-node] notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[netstat]/File[/etc/munin/plugins/netstat]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[netstat]/File[/etc/munin/plugins/netstat]: Scheduling refresh of Service[munin-node] notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[acpi]/File[/etc/munin/plugins/acpi]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[acpi]/File[/etc/munin/plugins/acpi]: Scheduling refresh of Service[munin-node] notice: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[df_abs]/File[/etc/munin/plugins/df_abs]/seluser: seluser changed 'user_u' to 'system_u' info: //Node[obu-repos]/munin::client/munin::client::base/munin::plugins::base/munin::plugins::linux/Munin::Plugin[df_abs]/File[/etc/munin/plugins/df_abs]: Scheduling refresh of Service[munin-node]
If I downgrade to puppet-0.24.5-1.el5 puppet runs fine with no changes while still using the 0.24.6RC1 server.
[root@client plugins]# puppetd --test --no-noop notice: Ignoring --listen on onetime run info: Caching catalog at /var/lib/puppet/state/localconfig.yaml notice: Starting catalog run info: Sent transaction report in 1.35 seconds notice: Finished catalog run in 5.54 seconds
/etc/munin/plugins 0.26RC1 Client
lrwxrwxrwx 1 user_u:object_r:etc_t root root 25 Oct 7 14:59 acpi -> /usr/share/munin/plugins/ lrwxrwxrwx 1 user_u:object_r:etc_t root root 28 Oct 7 14:58 cpu -> /usr/share/munin/plugins/cpu lrwxrwxrwx 1 user_u:object_r:etc_t root root 27 Oct 7 14:58 df -> /usr/share/munin/plugins/df lrwxrwxrwx 1 user_u:object_r:etc_t root root 31 Oct 7 14:59 df_abs -> /usr/share/munin/plugins/df_abs lrwxrwxrwx 1 user_u:object_r:etc_t root root 33 Oct 7 14:58 df_inode -> /usr/share/munin/plugins/df_inode
0.25 Client
lrwxrwxrwx 1 root:object_r:etc_t root root 25 Sep 29 13:37 acpi -> /usr/share/munin/plugins/ lrwxrwxrwx 1 root:object_r:etc_t root root 28 Sep 29 13:37 cpu -> /usr/share/munin/plugins/cpu lrwxrwxrwx 1 root:object_r:etc_t root root 27 Sep 29 13:37 df -> /usr/share/munin/plugins/df lrwxrwxrwx 1 root:object_r:etc_t root root 31 Sep 29 13:37 df_abs -> /usr/share/munin/plugins/df_abs lrwxrwxrwx 1 root:object_r:etc_t root root 33 Sep 29 13:37 df_inode -> /usr/share/munin/plugins/df_inode
History
Updated by James Turnbull over 3 years ago
- Category set to Red Hat
- Assignee set to Sean Millichamp
- Target version set to 0.24.6
Updated by James Turnbull over 3 years ago
- Status changed from Unreviewed to Accepted
Updated by Sean Millichamp over 3 years ago
I would classify this as expected and desired behavior when running in either SELinux permissive or enforcing mode. Puppet is now asking the system what the proper SELinux file context should be (via matchpathcon) and using that as defaults for the new SELinux attributes – adjusting them on-disk as appropriate.
Can you please clarify the problem?
Updated by Tony . over 3 years ago
seanmil wrote:
I would classify this as expected and desired behavior when running in either SELinux permissive or enforcing mode. Puppet is now asking the system what the proper SELinux file context should be (via matchpathcon) and using that as defaults for the new SELinux attributes – adjusting them on-disk as appropriate.
Can you please clarify the problem?
After doing a bit more digging, it appears that when puppet is setting seluser stuff on a symlink it is calling chcon incorrectly.
root@puppetclient: /etc/munin/plugins# ls -la /etc/munin/plugins/swap lrwxrwxrwx 1 root root 32 Oct 14 10:34 /etc/munin/plugins/netstat -> /usr/share/munin/plugins/swap
From what I can see from a debug output, puppet is claiming seluser is setting the roles yet it’s not actually doing anything.
debug: /File[/etc/munin/plugins/swap]/seluser: Executing 'stat -c %C /etc/munin/plugins/swap' debug: /File[/etc/munin/plugins/swap]/selrole: Executing 'stat -c %C /etc/munin/plugins/swap' debug: /File[/etc/munin/plugins/swap]/seltype: Executing 'stat -c %C /etc/munin/plugins/swap' debug: /File[/etc/munin/plugins/swap]: Changing seluser debug: /File[/etc/munin/plugins/swap]: 1 change(s) debug: Running chcon -u system_u /etc/munin/plugins/swap notice: /File[/etc/munin/plugins/swap]/seluser: seluser changed 'user_u' to 'system_u' info: /File[/etc/munin/plugins/swap]: Scheduling refresh of Service[munin-node]
Now it should be set to system_u however
root@puppetclient: /etc/munin/plugins# stat -c %C /etc/munin/plugins/swap user_u:object_r:etc_t
It’s still set to user. If you call chcon with the -h flag
root@puppetclient: /etc/munin/plugins# chcon -h -u system_u /etc/munin/plugins/swap root@puppetclient: /etc/munin/plugins# stat -c %C /etc/munin/plugins/swap system_u:object_r:etc_t
It sets it correctly and puppet runs cleanly with no changes next run.
Updated by Sean Millichamp over 3 years ago
- Status changed from Accepted to Ready For Checkin
Ah, okay, it wasn’t clear to me that this was recurring on every run and I didn’t notice that all the files were symlinks. I also discovered this issue yesterday and already have the fix and updated tests for it ready, they just need to get pushed. I agree that chcon -h is the correct fix.
Thanks for reporting it.
commit 195f7f3902937c5a502c72988daca63d91e0ea0d now pushed to my 0.24.x/selinux-fixes branch at git://github.com/seanmil/puppet.git
I am also sending it to puppet-dev for review. Thanks again!
Updated by James Turnbull over 3 years ago
- Status changed from Ready For Checkin to Closed
Pushed in commit:d4df36126fa62406c2cbb7a55b18234032da156b and commit:dedf0cdce952e36bcdccfc88b1efc33d9f5eaddb in branch 0.24.x