It’s embarrassing when you want to change files SELinux context… Sometimes to have to create a new entry using “semanage”. You need to run “restorecon” to apply a context to a file …

Why don’t ask Puppet to do the job ?

A short example

I want to create a directory with with an approriate SELinux context.

Create this directory :

[root@puppetserver ~]# mkdir /my_web_directory

Display current context :

[root@puppetserver ~]# ls -dZ /my_web_directory
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /my_web_directory

Where :

  • user : unconfined_u
  • role : object_r
  • type : default_t

I would would like to change file context type by “httpd_sys_rw_content_t”

This context type exist :

[root@puppetserver ~]# seinfo -t | grep httpd_sys_rw_content_t
 httpd_sys_rw_content_t

Just create a simple Puppet manifest.

Create a directory where to put examples :

[root@puppetserver ~]# mkdir /examples && cd /examples

Here is this manifest :

[root@puppetserver examples]# cat selinux_context.pp
class selinux_context {
  file { '/my_web_directory':
    ensure                  => directory,
    owner                   => 'root',
    group                   => 'root',
    mode                    => 'u=rwx,go=rx',
    selinux_ignore_defaults => true,
    seltype                 => 'httpd_sys_rw_content_t',
  }
}

include ::selinux_context

Syntax is OK :

[root@puppetserver examples]# puppet parser validate selinux_context.pp

What Puppet will do for you :

[root@puppetserver examples]# puppet apply --noop selinux_context.pp
Notice: Compiled catalog for puppetserver.argonay.wou in environment production in 0.11 seconds
Notice: /Stage[main]/Selinux_context/File[/my_web_directory]/seltype: current_value default_t, should be httpd_sys_rw_content_t (noop)
Notice: Class[Selinux_context]: Would have triggered 'refresh' from 1 events
Notice: Stage[main]: Would have triggered 'refresh' from 1 events
Notice: Applied catalog in 0.07 seconds

This is exactly what we would like to do, so just ask Puppet to do it :

[root@puppetserver examples]# puppet apply selinux_context.pp
Notice: Compiled catalog for puppetserver.argonay.wou in environment production in 0.09 seconds
Notice: /Stage[main]/Selinux_context/File[/my_web_directory]/seltype: seltype changed 'default_t' to 'httpd_sys_rw_content_t'
Notice: Applied catalog in 0.07 seconds

And the job has been done :

root@puppetserver examples]# ls -dZ /my_web_directory
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 /my_web_directory

If my directory didn’d exist ?

Remove it :

[root@puppetserver examples]# rmdir /my_web_directory

Ask Puppet :

[root@puppetserver examples]# puppet apply selinux_context.pp
Notice: Compiled catalog for puppetserver.argonay.wou in environment production in 0.12 seconds
Notice: /Stage[main]/Selinux_context/File[/my_web_directory]/ensure: created
Notice: Applied catalog in 0.07 seconds

What did happen ?

[root@puppetserver examples]# ls -dZ /my_web_directory
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 /my_web_directory

It looks like as expected !

 

en.pdf24.org    Send article as PDF   

Leave a Reply

Your email address will not be published. Required fields are marked *


*