The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #10236

/root/.k5login created with wrong selinux context.

Added by Steve Traylen over 2 years ago. Updated about 2 years ago.

Status:Needs More InformationStart date:10/23/2011
Priority:NormalDue date:11/18/2011
Assignee:Nigel Kersten% Done:

0%

Category:SELinuxEstimated time:2.00 hours
Target version:-
Affected Puppet version:2.6.6 Branch:
Keywords:k5login, kerberos, selinux

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket may be automatically exported to the PUP project on JIRA using the button below:


Description

Running puppet 2.6.6 with RHEL 6.1 using a configuration of

k5login {'/root/.k5login': principals  => 'me@CERN.CH'}

results in /root/.k5login with the following selinux context.

# ls -Z /root/.k5login 
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/.k5login

This is instead of the expected

# /sbin/restorecon /root/.k5login
# ls -Z /root/.k5login 
-rw-r--r--. root root system_u:object_r:krb5_home_t:s0 /root/.k5login

The consequence of the wrong selinux context is that the file is ignored on login with an AVC error.

A trivial look at the k5login type there looks to be nothing for selinux contexts. I have not tried outside of/root/ in a more normal home directory but I expect it will be the same.

Trivial workaround for now.

exec {'fix-k5login':
   command => '/sbin/restorecon /root/.k5login',
   refreshonly => true,
   subscribe => K5login['/root/.k5login'] 
}

History

#1 Updated by Kelsey Hightower over 2 years ago

  • Description updated (diff)
  • Due date set to 11/18/2011
  • Status changed from Unreviewed to Investigating
  • Assignee set to Kelsey Hightower
  • Estimated time set to 2.00

Thanks for reporting this issue. I wonder if Puppet is the right place to set the SELinux context, and if so, how best to go about it.

#2 Updated by Steve Traylen over 2 years ago

Hi, I think anything that creates a file has the responsibility to then correct the security context.

This is exactly what happens for instance with the puppet file type. In particular the selinux_ignore_defaults attribute to file. k5login needs to use the same mechanism basically.

Steve.

#3 Updated by James Turnbull over 2 years ago

Kelsey – this is exactly how the file type works. If we support it there etc… :)

#4 Updated by Kelsey Hightower over 2 years ago

James – should we look at supporting the se attributes on all types that creates a file? If so is there an easy way to do this outside of adding the se attributes to every resource type that needs them.

#5 Updated by James Turnbull over 2 years ago

Good question – I’m not sure how best to solve this. I think it’s two issues though:

  1. Types/providers should be aware/care about SELinux
  2. Types/providers should specifically allow the setting of SELinux state.

#6 Updated by Kelsey Hightower over 2 years ago

  • Assignee deleted (Kelsey Hightower)

Looks like there needs to be some design decisions on this ticket.

#7 Updated by James Turnbull over 2 years ago

  • Status changed from Investigating to Needs Decision
  • Assignee set to Nigel Kersten

#8 Updated by Nigel Kersten over 2 years ago

Steve Traylen wrote:

Hi, I think anything that creates a file has the responsibility to then correct the security context.

Is it feasible for us to modify the file type to programmatically detect if we’re in an SELinux environment, and restore the correct context without user input?

Are there negative implications here? Would doing this automatically break any existing behaviors?

#9 Updated by Nigel Kersten about 2 years ago

  • Status changed from Needs Decision to Needs More Information
  • Assignee changed from Nigel Kersten to Steve Traylen

#10 Updated by Steve Traylen about 2 years ago

Hi,

I think it was said before, copy what ever the file type does. This seems to handle selinux absolutely perfectly. A quick look at lib/puppet/type/file/selcontext.rb

it looks to check if there is any selinux context on the file and if there is correct it to what it should from the policy database.

#11 Updated by Steve Traylen about 2 years ago

  • Assignee changed from Steve Traylen to Nigel Kersten

Also available in: Atom PDF