Bug #1852
unexpected behaviour with selinux file options when ruby bindings are missing
| Status: | Closed | Start date: | 01/07/2009 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | file | |||
| Target version: | 0.24.8 | |||
| Affected Puppet version: | 0.24.7 | Branch: | ||
| Keywords: | selinux ruby binding | |||
| Votes: | 0 |
Description
It seems that if selinux ruby bindings are not available, the selinux parameters to the file type appear to work anyway, but in fact do not. In the following example we can see puppet trying to modify seluser and selrole (which is not necessary in this case) and failing to modify seltype, but without raising an error.
[root@kissrv20 ~]# ls -Z /tmp/test -rw-rw-r-- root adm root:object_r:tmp_t /tmp/test [root@kissrv20 ~]# puppet /tmp/test.pp notice: //File[/tmp/test]/seluser: defined 'seluser' as 'root' notice: //File[/tmp/test]/selrole: defined 'selrole' as 'object_r' notice: //File[/tmp/test]/seltype: defined 'seltype' as 'mysql_etc_t' [root@kissrv20 ~]# ls -Z /tmp/test -rw-rw-r-- root adm root:object_r:tmp_t /tmp/test
In short: 0.24.6, slow but works out of the box on any system with selinux. 0.24.7, works only if libselinux-ruby is installed (currently only available on latest fedora), unexpected behaviour if not.
Maybe it would be an idea to fallback to using the slow method from 0.24.6 in case the ruby bindings aren’t available ?
Or else puppet should fail or warn the user that selinux parameters are not supported without selinux bindings installed ?
History
Updated by Luke Kanies about 3 years ago
- Status changed from Unreviewed to Accepted
I think the right action is to just warn that SELinux support isn’t available without the ruby bindings.
Updated by Tom Payne about 3 years ago
luke wrote:
I think the right action is to just warn that SELinux support isn’t available without the ruby bindings.
Please do this. I’ve just been really badly bitten by this.
Silently failing is just about the worse thing you can do. In my case the sequence of events ways: * upgrade to puppet 0.24.7 * watch in horror as every puppetd run now rebuilds everything * spend several hours debugging, finally working out that SELinux support was completely broken
puppetd rebuilds everything every time it is run because it thinks that the SELinux context on every file is wrong and so it tries to set it. This fails completely because neither the detection nor the change works. However, puppetd does think that the file has changed so it triggers a refresh of every dependency. If you’ve set the SELinux contexts on your daemon config files then suddenly every daemon is refreshed every time. Yikes!
Now I have to find out if ruby-selinux is even available for my distribution (CentOS)…
Cheers, Tom
Updated by Todd Zullinger about 3 years ago
Dan Walsh told me he would work on getting libselinux-ruby into RHEL, but it won’t likely happen until 5.4[1]. The RFE tracking bug I filed as his request is:
https://bugzilla.redhat.com/show_bug.cgi?id=479201
[1] RHEL 5.4 is a good 6 months or so away
Updated by Luke Kanies about 3 years ago
- Priority changed from Normal to High
Updated by James Turnbull about 3 years ago
Can you please try the attached patch.
Thanks
Updated by James Turnbull about 3 years ago
Can you also confirm that your host def. does not have the bindings installed and SELinux actions still occur?
Updated by James Turnbull about 3 years ago
Also can you confirm you have a clean 0.24.7 upgrade/install and no old Puppet files are hanging around?
Updated by Tom Payne about 3 years ago
I’ve created a minimal set of SELinux bindings that can be used as an interim measure. They are sufficient to support all of puppet’s current SELinux operations.
http://github.com/twpayne/libselinux-ruby-puppet
Regards, Tom
Updated by Todd Zullinger about 3 years ago
James,
On a CentOS 5.2 box with the EPEL provided packages, no libselinux-ruby installed, and SELinux in enforcing mode:
# rpm -V puppet puppet-server S.5....T c /etc/puppet/puppet.conf S.5....T /usr/lib/ruby/site_ruby/1.8/puppet/provider/selboolean/getsetsebool.rb S.5....T /usr/lib/ruby/site_ruby/1.8/puppet/provider/selmodule/semodule.rb S.5....T /usr/lib/ruby/site_ruby/1.8/puppet/util/selinux.rb .M...... /var/log/puppet .M...... /var/run/puppet S.5....T c /etc/puppet/fileserver.conf
# puppetd --test --debug ... debug: //Node[default]/centos/packages/File[/etc/cron.monthly]: Changing seluser debug: //Node[default]/centos/packages/File[/etc/cron.monthly]: 1 change(s) notice: //Node[default]/centos/packages/File[/etc/cron.monthly]/seluser: defined 'seluser' as 'system_u' debug: //Node[default]/centos/packages/File[/etc/cron.weekly]: Changing seluser debug: //Node[default]/centos/packages/File[/etc/cron.weekly]: 1 change(s) notice: //Node[default]/centos/packages/File[/etc/cron.weekly]/seluser: defined 'seluser' as 'system_u' debug: //Node[default]/centos/packages/File[/etc/cron.hourly]: Changing seluser debug: //Node[default]/centos/packages/File[/etc/cron.hourly]: 1 change(s) notice: //Node[default]/centos/packages/File[/etc/cron.hourly]/seluser: defined 'seluser' as 'system_u' debug: //Node[default]/centos/packages/File[/etc/cron.daily]: Changing seluser debug: //Node[default]/centos/packages/File[/etc/cron.daily]: 1 change(s) notice: //Node[default]/centos/packages/File[/etc/cron.daily]/seluser: defined 'seluser' as 'system_u' ... debug: Finishing transaction 23456254677360 with 4 changes
(And yeah, I remembered to restart the puppetmaster after applying the patches this time. ;)
Updated by Sean Millichamp about 3 years ago
Try this attached patch, it implements Luke’s suggestion from puppet-dev and seems to work for me.
Updated by Todd Zullinger about 3 years ago
I tested the patch Sean posted here and it does seem to do the right thing, both on hosts with and without the ruby libselinux bindings (Fedora 10 and CentOS 5, respectively). Thanks Sean, Luke, James, etc. :)
Updated by Marc Fournier about 3 years ago
Folks,
I’ve just tested both patches on a clean redhat 5.3 with puppet installed from the EPEL repository:
[root@kissrv20 tmp]# rpm -qa puppet puppet-0.24.7-4.el5 [root@kissrv20 tmp]# rpm -V puppet [root@kissrv20 tmp]#
No selinux bindings installed:
[root@kissrv20 tmp]# irb
irb(main):001:0> require 'selinux'
LoadError: no such file to load -- selinux
from (irb):1:in `require'
from (irb):1
Before any patch was applied, I was able to reproduce the same problem as described a few days ago:
[root@kissrv20 tmp]# selinuxenabled && echo $? 0 [root@kissrv20 tmp]# ls -Z test -rw-rw-r-- root adm root:object_r:tmp_t test [root@kissrv20 tmp]# puppet test.pp notice: //File[/tmp/test]/seluser: defined 'seluser' as 'root' notice: //File[/tmp/test]/selrole: defined 'selrole' as 'object_r' notice: //File[/tmp/test]/seltype: defined 'seltype' as 'mysql_etc_t' [root@kissrv20 tmp]# ls -Z test -rw-rw-r-- root adm root:object_r:tmp_t test
With James’s patch, the problem apparently remains:
[root@kissrv20 tmp]# cat Fixed-1852-SELinux-called-even-when-support-disab.diff | patch -p2 -d /usr/lib/ruby/site_ruby/1.8/ patching file puppet/provider/selboolean/getsetsebool.rb patching file puppet/provider/selmodule/semodule.rb patching file puppet/util/selinux.rb [root@kissrv20 tmp]# puppet test.pp notice: //File[/tmp/test]/seluser: defined 'seluser' as 'root' notice: //File[/tmp/test]/selrole: defined 'selrole' as 'object_r' notice: //File[/tmp/test]/seltype: defined 'seltype' as 'mysql_etc_t' [root@kissrv20 tmp]# [root@kissrv20 tmp]# cat Fixed-1852-SELinux-called-even-when-support-disab.diff | patch -p2 -R -d /usr/lib/ruby/site_ruby/1.8/ patching file puppet/provider/selboolean/getsetsebool.rb patching file puppet/provider/selmodule/semodule.rb patching file puppet/util/selinux.rb
Sean’s patch seems to work better. I would vote for inclusion of this one:
[root@kissrv20 tmp]# cat 0001-Fixes-1852-Uses-Luke-s-suggestion-to-no-op-insync.patch | patch -p2 -d /usr/lib/ruby/site_ruby/1.8/ patching file puppet/type/file/selcontext.rb can't find file to patch at input line 33 [...] Skipping patch. 1 out of 1 hunk ignored [root@kissrv20 tmp]# puppet test.pp [root@kissrv20 tmp]#
I’m attaching another patch to be applied over Sean’s one. It just outputs a warning when the user passes the —debug parameter:
[root@kissrv20 tmp]# puppet --debug test.pp debug: Creating default schedules debug: Failed to load library 'ldap' for feature 'ldap' debug: Finishing transaction 23891525059740 with 0 changes debug: //File[/tmp/test]/seluser: SELinux bindings not found. Ignoring parameter. debug: //File[/tmp/test]/selrole: SELinux bindings not found. Ignoring parameter. debug: //File[/tmp/test]/seltype: SELinux bindings not found. Ignoring parameter. debug: Finishing transaction 23891525875720 with 0 changes
If you believe it’s not appropriate, just drop it. Sean’s patch is sufficient to fix this issue.
Thanks to all of you, especially to Tom for his handy implementation of working selinux bindings ! I’ll try them out ASAP and keep you informed.
Updated by Peter Meier about 3 years ago
If you believe it’s not appropriate, just drop it. Sean’s patch is sufficient to fix this issue.
I think your patch would be fine as well. Thanks for all for testing an working on this issue!
Updated by Luke Kanies about 3 years ago
- Status changed from Accepted to Tests Insufficient
I agree, the logging patch is good, and it looks like we’re about ready to go here. Tests?
Updated by Sean Millichamp about 3 years ago
I had one new test in my patch – was it overlooked or was it insufficient and I need to add additional tests?
Updated by James Turnbull about 3 years ago
- Status changed from Tests Insufficient to Closed
- Target version set to 0.24.8
Pushed in commit:b27fccd4345d80ff826cfbdad1d409d712923e4b in branch 0.24.x