(PUP-7559) Pass correct mode when lookup SELinux default context #8570
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
These are new failures due to Facter 4.1 and should be fixed in #8567. |
Originally when the file did not exist we simply passed the mode as zero causing the file type bits not to be set which means matchpatchcon(3) won't lookup the type based on the correct type. This changes so that we set the file type bits in the mode_t passed down to the SELinux libraries based on the resource ensure set to present, file, directory or link on the File resource. This fixes [1] and can be observed for SELinux file contexts that modifies files in top directory but only for symlinks for example this [2] httpd file context change. The patch is backward compatible and does not break the API for the methods in the Puppet::Util::SELinux module. [1] https://tickets.puppetlabs.com/browse/PUP-7559 [2] fedora-selinux/selinux-policy-contrib@43318bf
Puppet uses symbols to represent the desired ensure parameter, so just use that. Also eliminated the `when` block for `absent`.
joshcooper
force-pushed
the
selinux_7559
branch
from
0f8b214
to
f62b162
Compare
|
Thanks @joshcooper - much cleaner with symbols as well. Does the retargeting mean this will only get into 6.x or into 7.x as well? |
|
@tobias-urdin ah sorry, I should have mentioned, we automatically merge from 6.x to main (7.x) so this will be released in both streams. |
|
jenkins please test this on redhat8-64a |
GabrielNagy
approved these changes
Apr 22, 2021
There was a problem hiding this comment.
Looks good! Tested this on a VM with selinux enabled and confirmed applying the original manifest from the ticket is idempotent with this fix.
Thanks again @tobias-urdin and sorry for the long turnaround on this.
|
Thanks for the help guys! Nice to have a 4 year old bug out of the way 🎉 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See #8537 for details. This supersedes that PR and targets 6.x.
Note
puppet/lib/puppet/util/filetype.rb
Line 131 in 67ad21b