The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Feature #1155

PATCH: SELinux enhancements.

Added by Brett Lentz about 6 years ago. Updated over 2 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Luke Kanies% Done:

0%

Category:newfeature
Target version:0.25.0
Affected Puppet version:0.24.4 Branch:
Keywords:selinux

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

I’d like to get the SELinux enhancements located in this git repo upstreamed. As SELinux becomes more ubiquitous, having support for managing it makes server administration significantly easier.

This set of patches, plus some explanation is located here: http://spook.wpi.edu/

You can check out the full repository here: git clone http://spook.wpi.edu/git/projects/puppet/.git

puppet-selinux.diff Magnifier (11.7 KB) Frank Sweetser, 04/02/2008 01:55 pm

puppet_selinux_tests.diff Magnifier (1.43 KB) Brett Lentz, 05/08/2008 10:47 pm

History

#1 Updated by Luke Kanies almost 6 years ago

  • Status changed from Closed to 4
  • 7 deleted (wontfix)

Looks like Wakko666 is going to add tests.

#2 Updated by Frank Sweetser about 6 years ago

For convenience, here’s a copy of the current version of the patch.

#3 Updated by Luke Kanies almost 6 years ago

Okay, given that lutter has said that this patch is a good idea to add to core, I’ve looked into it more deeply.

There are a couple of problems:

  • The only test you’ve provided is in test/unit, rather than rspec. See WritingTests for help on how to write rspec tests.
  • You still don’t have complete tests. I’d like to see tests for every class you’ve provided. See any recent development in the master branch for examples, or the recent development in the Facter master branch.
  • All of your tests must pass even when there are no selinux binaries available. The reason that test is failing for me is I’m running it on an OS X box.

In terms of making all of the tests pass, you should be able to stub the provider as suitable. See the recently-committed tests for the ldap providers.

Also, it would be much easier to review your code if you pushed it to a public git repo. You can just fork the ‘selinux_patches’ branch in my Puppet github repo.

#4 Updated by David Lutterkort almost 6 years ago

I disagree that it will rarely be used – I have a request from the Fedora Infrastructure guys to carry this patch in the RPM’s until they are merged upstream. I’d feel much more comfortable if it is merged, though ;)

Good SELinux support is pretty important on any Fedora/RHEL/CentOS distribution.

#5 Updated by Brett Lentz almost 6 years ago

I’ve added a first attempt at some tests. I’d appreciate any additional feedback on how to improve the tests.

#6 Updated by Brett Lentz almost 6 years ago

There are new rspec tests in the git repo at http://spook.wpi.edu/git/projects/puppet/.git

Currently the tests are for the new types. I’m still working on tests for the providers.

#7 Updated by Luke Kanies about 6 years ago

I can’t accept this patch until the types and providers have tests. You should be able to follow the examples of recent rspec tests to create the tests you need.

Even then, I’d lean towards this being a separate module, but there’s no great way to share them right now.

#8 Updated by Luke Kanies almost 6 years ago

  • Status changed from 1 to Closed
  • 7 set to wontfix

Ok, I added these patches to the ‘selinux_patches’ branch in my personal repo on github. This is what I got when I ran the test:

Loaded suite ./other/selinux
Started
..E
Finished in 0.415804 seconds.

  1) Error:
test_semodule(TestSELinux):
Puppet::DevError: Could not find a default provider for selmodule
    /Users/luke/git/puppet/lib/puppet/metatype/providers.rb:39:in @defaultprovider'
    /Users/luke/git/puppet/lib/puppet/metatype/providers.rb:182:in @default'
    /Users/luke/git/puppet/lib/puppet/metatype/attributes.rb:631:in @setdefaults'
    /Users/luke/git/puppet/lib/puppet/metatype/attributes.rb:120:in @eachattr'
    /Users/luke/git/puppet/lib/puppet/metatype/attributes.rb:115:in @each'
    /Users/luke/git/puppet/lib/puppet/metatype/attributes.rb:115:in @eachattr'
    /Users/luke/git/puppet/lib/puppet/metatype/attributes.rb:621:in @setdefaults'
    /Users/luke/git/puppet/lib/puppet/type.rb:247:in @initialize'
    /Users/luke/git/puppet/lib/puppet/metatype/instances.rb:151:in @new'
    /Users/luke/git/puppet/lib/puppet/metatype/instances.rb:151:in @create'
    ./other/selinux.rb:56:in @test_semodule'
    /Users/luke/git/puppet/lib/../vendor/gems/mocha-0.5.6/lib/mocha/test_case_adapter.rb:19:in @+send+'
    /Users/luke/git/puppet/lib/../vendor/gems/mocha-0.5.6/lib/mocha/test_case_adapter.rb:19:in @run'

3 tests, 6 assertions, 0 failures, 1 errors

Really, though, I think this makes more sense as a publicly available module; you can always monkey-patch the ‘file’ type, even though that’s a touch ugly.

This is going to be used so rarely by the whole community it doesn’t make sense to add to core, and there’s no way I can add it with this few tests.

#9 Updated by James Turnbull about 6 years ago

Up to you Luke…

#10 Updated by Redmine Admin almost 6 years ago

  • Status changed from 4 to Accepted

#11 Updated by Luke Kanies almost 6 years ago

  • Assignee changed from Puppet Community to Luke Kanies
  • Target version set to 0.24.5
  • Affected Puppet version set to 0.24.4

I’m going to see if this is functional for integration into 0.24.5.

#12 Updated by Kostas Georgiou almost 6 years ago

Does it make sense to run chcon with -h (—no-dereference) by default? I assume that people will want to manage the context of the link itself instead of where it points to normally.

#13 Updated by Luke Kanies almost 6 years ago

I’ve no idea; someone else will have to answer that one.

#14 Updated by Brett Lentz almost 6 years ago

  • Patch deleted (Insufficient)

georgiou’s request makes a certain amount of sense, but I see this as something that can go in after the patch is merged.

#15 Updated by Brett Lentz almost 6 years ago

  • Patch set to Insufficient

woops. didn’t mean to delete the patch toggle.

#16 Updated by Luke Kanies almost 6 years ago

  • Assignee deleted (Luke Kanies)

This code is against master. If you want it released in 0.24.5, you’ll have to reapply your fixes against the 0.24.x branch.

I know this is confusing; our next major release will switch the master branch to being the stable branch. In the meantime, all stable development has to happen against 0.24.x.

Also, you should add yourself to this project, so I can assign tickets to you. :)

#17 Updated by Luke Kanies almost 6 years ago

  • Target version changed from 0.24.5 to 0.25.0

Bumping this unless it gets redone against 0.24.x.

#18 Updated by Brett Lentz almost 6 years ago

Created my own git repo over at github. I’ve pushed a repo up there that’s based on 0.24.4, and committed the patch.

Please pull from git://github.com/wakko666/puppet-selinux.git

I looked around and couldn’t find where to add myself to the project.

#19 Updated by James Turnbull almost 6 years ago

  • Status changed from Accepted to Needs More Information
  • Assignee set to Brett Lentz
  • 3 changed from Unknown to Easy
  • Keywords set to selinux

Hi – the branch contains lib/puppet/type/file.rb.orig – suspect you need to update it a little.

#20 Updated by Brett Lentz almost 6 years ago

  • Assignee changed from Brett Lentz to James Turnbull

Cleaned up the repo. Please try pulling again.

#21 Updated by James Turnbull almost 6 years ago

  • Status changed from Needs More Information to Closed

Pushed in commit:f16da4250c16aeab932a81a349df059c69d7ee23 in branch 0.24.x

#22 Updated by James Turnbull almost 6 years ago

  • Status changed from Closed to Unreviewed
  • Assignee changed from James Turnbull to Brett Lentz

Spoke too soon – test failures:

1)
Puppet::Error in 'File when manipulating file contexts should use :selrole to get/set an SELinux role file context attribute'
File[/tmp/foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:10:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

2)
Puppet::Error in 'File when manipulating file contexts should use :seltype to get/set an SELinux user file context attribute'
File[/tmp/foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:10:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

3)
Puppet::Error in 'Puppet::Type::Selboolean when manipulating booleans should be able to access :value'
Selboolean[foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:30:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

4)
Puppet::Error in 'Puppet::Type::Selboolean when manipulating booleans should set :value to off'
Selboolean[foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:30:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

5)
Puppet::Error in 'Puppet::Type::Selboolean when manipulating booleans should be able to access :persistent'
Selboolean[foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:30:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

6)
Puppet::Error in 'Puppet::Type::Selboolean when manipulating booleans should set :persistent to false'
Selboolean[foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:30:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

7)
Puppet::Error in 'Puppet::Type::Selmodule when checking policy modules should be able to access :selmoduledir'
Selmodule[foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:56:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

8)
Puppet::Error in 'Puppet::Type::Selmodule when checking policy modules should be able to access :selmodulepath'
Selmodule[foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:56:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

9)
Puppet::Error in 'Puppet::Type::Selmodule when checking policy modules should be able to access :syncversion'
Selmodule[foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:56:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

10)
Puppet::Error in 'Puppet::Type::Selmodule when checking policy modules should set the syncversion value to false'
Selmodule[foo] is already being managed
/home/james/src/puppet/lib/puppet/metatype/instances.rb:143:in `create'
./spec/unit/other/selinux.rb:56:
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:19:in `run'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `each'
/home/james/src/puppet/spec/monkey_patches/add_confine_and_runnable_to_rspec_dsl.rb:17:in `run'

#23 Updated by James Turnbull almost 6 years ago

  • Status changed from Unreviewed to Needs More Information

#24 Updated by James Turnbull almost 6 years ago

Reverted in commit:686ba4d4c21f6f1e073bd845492f2fe3cb4837a2 in branch 0.24.x until fixed.

#25 Updated by Brett Lentz almost 6 years ago

  • Assignee changed from Brett Lentz to James Turnbull

Fixed all of the tests. Please pull again.

#26 Updated by James Turnbull almost 6 years ago

  • Assignee changed from James Turnbull to Brett Lentz

Okay – what difference does this make:

http://marc.info/?l=selinux&m=121570381304982&w=2

#27 Updated by Brett Lentz almost 6 years ago

  • Assignee changed from Brett Lentz to James Turnbull

Currently? Makes no difference at all. It should not impede this patch, as getting working selinux support soon is important to several people.

For the future it means we’ll be able to migrate from using the selinux command-line utilities to using the selinux/semanage libraries directly, which is a win for a variety of reasons.

You’ll note that Dan mentions in his post that he’s not a ruby guy. Depending on how long it takes for those bindings to stabilize, I’d rather have working selinux support now with a migration path rather than no selinux support for the next several months.

#28 Updated by James Turnbull almost 6 years ago

  • Assignee changed from James Turnbull to Brett Lentz

My point was more that since this isn’t going to make 0.24.5 – which is being released today – we have two choices:

  1. Merge into 0.25.x HEAD
  2. Re-write using the new bindings (if possible) and then merge into 0.25.x HEAD

Obviously you can apply your current patch against the 0.24.x HEAD to get the required functionality now and build a custom package downstream.

Please let me know.

#29 Updated by Brett Lentz almost 6 years ago

Let’s merge the existing patch into 0.25.x HEAD. I’ll set up a repo against HEAD for you to pull from.

#30 Updated by Brett Lentz almost 6 years ago

  • Assignee changed from Brett Lentz to James Turnbull

Ok. I’ve pushed a master branch into the git repo at git://github.com/wakko666/puppet-selinux.git that’s based on HEAD.

Please pull the master branch.

#31 Updated by James Turnbull almost 6 years ago

  • Status changed from Needs More Information to Ready For Checkin
  • Assignee changed from James Turnbull to Luke Kanies

#32 Updated by James Turnbull over 5 years ago

Pushed in my repo in commit:f837d66f0b7804339f9a4508e9a3486024774881 in branch master.

#33 Updated by James Turnbull over 5 years ago

Ping – can you pull this please Luke.

#34 Updated by Luke Kanies over 5 years ago

  • Status changed from Ready For Checkin to Closed

Merged.

Also available in: Atom PDF