Skip to content

Perform selabel lookup during file resource synchronization #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Perform selabel lookup during file resource synchronization #229

wants to merge 1 commit into from

Conversation

@eciii
Copy link

@eciii eciii commented Oct 20, 2025

The default values of the SELinux-related properties of a file resource are calculated at the beginning of the catalog application phase, before the catalog resources are actually synchronized. However, by the time the file resource is synchronized, these default values might be outdated due to new policy rules being added in previous parts of the catalog.

This behavior can be easily reproduced in Rocky Linux 9 and probably other RHEL-like distros (maybe even Fedora):

$ git checkout main
[...]

$ bundle exec puppet apply -e "package { 'grafana': ensure => present } file { '/var/lib/grafana/test': ensure => file }"
Notice: Compiled catalog for packer-base-rocky9.afdata.local in environment production in 0.37 seconds
Notice: /Stage[main]/Main/Package[grafana]/ensure: created
Notice: /Stage[main]/Main/File[/var/lib/grafana/test]/ensure: created
Notice: Applied catalog in 27.52 seconds

$ ls -lhAZ /var/lib/grafana/
total 0
-rw-r-----. 1 grafana grafana system_u:object_r:grafana_var_lib_t:s0  0 Oct 16 16:55 grafana.db
drwxr-xr-x. 2 grafana grafana system_u:object_r:grafana_var_lib_t:s0 40 Oct 20 14:47 plugins
-rw-r--r--. 1 root    root    system_u:object_r:var_lib_t:s0          0 Oct 20 14:47 test

The test file is created with the wrong SELinux context because:

  • The default value of the seltype property is calculated before the grafana package is installed.
  • The grafana package is then installed, pulling in the grafana-selinux package, which in turn creates the grafana_var_lib_t type.
  • The test file is created using an outdated SELinux type.

This PR fixes the described behavior:

$ rm -f /var/lib/grafana/test && dnf remove -y grafana
[...]

$ git checkout fix
[...]

$ bundle exec puppet apply -e "package { 'grafana': ensure => present } file { '/var/lib/grafana/test': ensure => file }"
Notice: Compiled catalog for packer-base-rocky9.afdata.local in environment production in 0.38 seconds
Notice: /Stage[main]/Main/Package[grafana]/ensure: created
Notice: /Stage[main]/Main/File[/var/lib/grafana/test]/ensure: created
Notice: Applied catalog in 28.41 seconds

$ ls -lhAZ /var/lib/grafana/
total 0
-rw-r-----. 1 grafana grafana system_u:object_r:grafana_var_lib_t:s0  0 Oct 16 16:55 grafana.db
drwxr-xr-x. 2 grafana grafana system_u:object_r:grafana_var_lib_t:s0 40 Oct 20 14:49 plugins
-rw-r--r--. 1 root    root    system_u:object_r:grafana_var_lib_t:s0  0 Oct 20 14:49 test

This PR also adjusts the corresponding unit tests accordingly. As far as I cat tell, all the relevant tests pass:

$ SPEC=spec/unit/type/file/selinux_spec.rb bundle exec rake spec
rspec spec/unit/type/file/selinux_spec.rb
Run options: exclude {benchmark: true}
....................................

Finished in 0.37257 seconds (files took 0.93635 seconds to load)
36 examples, 0 failures

More details about the actual changes can be found in the commit description.

@eciii
Perform selabel lookup during file resource synchronization
7a669d4 
The default values of the SELinux-related properties of a file resource
are calculated at the beginning of the catalog application phase, before
the catalog resources are actually synchronized. However, by the time
the file resource is synchronized, its default value might be outdated
due to new policy rules added in previous parts of the catalog (for
example, a package was installed that included new policy rules) leading
to the file being created with the wrong SELinux context.

This commit delays the lookup of the default values until the very
moment the file resource is being synchronized. More precisely, the
following process is implemented:

- A `:lookup` symbol is introduced as the default value. It means that
  the actual value is to be looked up later during synchronization.
  However, maintaining the previous behaviour, a default value of `nil`
  is used if either the platform is Windows or the user explicitly
  stated to ignore the default values (using the
  `selinux_ignore_defaults` parameter).
- During resource synchronization, when the `insync?` method is
  executed, the `:lookup` symbol is replaced with the actual looked up
  value and then the sync status is calculated as usual.

The unit test have been adjusted accordingly.
@bastelfreak
Copy link
Contributor

@eciii thanks for the PR!

@alexjfisher is that something you can take a look? I think you debugged various selinux issues with the file resource in the past?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eciii @bastelfreak