puppet apply always tries to enforce selinux default params for /etc/puppet/

asked 2016-02-03 22:35:33 -0600

Async gravatar image

Even though I specify File { selinux_ignore_defaults=>true,} in my manifest, puppet still tries to enforce the selinux params. It seems like this occurs by virtue of some built-in resource declarations that try to enforce creation of the confdir, ssldir, etc. This is a problem for me because my confdir is an NFS mount (/etc/puppet is actually symlinked to a folder under an NFS mount), and puppet does not seem to correctly handle the selinux params for NFS mounts.

Here's a simple example using puppet 3.8.5 on CentOS7:

# puppet apply -e 'File { selinux_ignore_defaults=>true,} notify {"wish I could selinux_ignore_defaults for /etc/puppet/ssl!": }' --environment development
Fact file /etc/puppet/r10k/cloudpassage/facts.d/cp_facts_win.bat was parsed but returned an empty data set
Notice: Compiled catalog for bb8-roan-dch-05.sbox.local in environment development in 0.16 seconds
Warning: Failed to set SELinux context system_u:object_r:admin_home_t:s0 on /etc/puppet/ssl
Warning: Failed to set SELinux context system_u:object_r:admin_home_t:s0 on /etc/puppet/ssl/private_keys
Warning: Failed to set SELinux context system_u:object_r:admin_home_t:s0 on /etc/puppet/ssl/public_keys
Warning: Failed to set SELinux context system_u:object_r:admin_home_t:s0 on /etc/puppet/hiera.yaml
Warning: Failed to set SELinux context system_u:object_r:admin_home_t:s0 on /etc/puppet/ssl/certs
Warning: Failed to set SELinux context system_u:object_r:admin_home_t:s0 on /etc/puppet/ssl/private
Warning: Failed to set SELinux context system_u:object_r:admin_home_t:s0 on /etc/puppet/ssl/certificate_requests
Notice: wish I could selinux_ignore_defaults for /etc/puppet/ssl!
Notice: /Stage[main]/Main/Notify[wish I could selinux_ignore_defaults for /etc/puppet/ssl!]/message: defined 'message' as 'wish I could selinux_ignore_defaults for /etc/puppet/ssl!'
Notice: Finished catalog run in 0.15 seconds

How can I modify my configuration to eliminate or suppress those SELinux warnings that are output above (while keeping /etc/puppet content on the NFS drive)? For example, can I prevent puppet from trying to enforce creation of ssldir every time I run puppet apply? Or, alternatively, is there a way to make my File { selinux_ignore_defaults=>true,} declaration apply to the file { $ssldir } declaration?

This issue seems related to http://ask.puppetlabs.com/question/16....

edit retag flag offensive close merge delete