Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

selinux::module should not manage files in /usr #146

Closed
vinzent opened this issue Dec 23, 2016 · 6 comments · Fixed by #195
Closed

selinux::module should not manage files in /usr #146

vinzent opened this issue Dec 23, 2016 · 6 comments · Fixed by #195
Assignees
@vinzent
Labels
enhancement New feature or request needs-feedback Further information is requested
Milestone
1.0.0

Comments

@vinzent
Copy link
Contributor

vinzent commented Dec 23, 2016
edited
Loading

Affected Puppet, Ruby, OS and module versions/distributions

  • Module version: 0.5.1-rc0

How to reproduce (e.g Puppet code you use)

add a selinux::module resource

What are you seeing

the resource creates/manages a file in /usr/share/selinux. According FSH standard /usr is Secondary hierarchy for read-only user data;.

In /usr (excluding /usr/local) I only expect files managed by the systems package manager.

https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard#Directory_structure

What behaviour did you expect instead

The puppet managed file should be placed somewhere in /var. Maybe in some folder in puppets $vardir or whatever best practice is.

references
@vinzent vinzent added enhancement New feature or request needs-feedback Further information is requested labels Jan 17, 2017
@vinzent vinzent added this to the 2.0.0 milestone Jan 17, 2017
@vinzent vinzent self-assigned this Jan 17, 2017
@oranenj
Copy link
Contributor

oranenj commented Jan 21, 2017

manifests have access to the $settings::vardir variable, which is the vardir option of the agent. For example on my desktop:
sudo puppet apply -e 'notice($settings::vardir)' results in Notice: Scope(Class[main]): /var/lib/puppet and without sudo in Notice: Scope(Class[main]): /home/oranenj/.puppet/cache

@vinzent
Copy link
Contributor Author

vinzent commented Jan 21, 2017 via email

@oranenj
Copy link
Contributor

oranenj commented Jan 21, 2017

Ah, yes, I misread the documentation... I wonder if there's a good way to get the configured vardir value somehow via Puppet's ruby API... Puppet.settings.setting('vardir').value returns nil if called straight from ruby.

@oranenj
Copy link
Contributor

oranenj commented Jan 21, 2017

However, it seems to work when called in a fact during a puppet run:

require 'puppet'
Facter.add(:puppet_agent_vardir) do
  setcode do
    Puppet.settings['vardir']
  end
end

$ FACTERLIB=. sudo -E puppet apply -e'notice($::puppet_agent_vardir)'
Notice: Scope(Class[main]): /var/lib/puppet

@vinzent
Copy link
Contributor Author

vinzent commented Jan 22, 2017

I think Puppet.settings outside of a puppet run needs to call some initialization method first.

I don't think we should rely on a client provided directory. The worst case could be that somebody sets is to "/" and we're purging "/" in the end.

@oranenj
Copy link
Contributor

oranenj commented Jan 22, 2017

Well of course we shouldn't use the directory directly, but if we set it to something like $client_vardir/selinux-module-cache and validate that it's an absolute path, even in the worst case we'll just have a directory called /selinux-module-cache

@oranenj oranenj mentioned this issue Jan 29, 2017
Closed
@vinzent vinzent mentioned this issue Feb 16, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinzent vinzent

Labels
enhancement New feature or request needs-feedback Further information is requested
Projects
None yet
Milestone
1.0.0
Development

Successfully merging a pull request may close this issue.

BREAKING: Redesign selinux::module defined type
2 participants
@oranenj @vinzent