Skip to Content.
Sympa Menu

linux-announce - [[Linux-announce] ] Possible SE-Linux context changes for Puppet managed mountpoints

linux-announce AT

Subject: Linux Mailing List

List archive

[[Linux-announce] ] Possible SE-Linux context changes for Puppet managed mountpoints

Chronological Thread  
  • From: "Konrad Bucheli (PSI)" <konrad.bucheli AT>
  • To: linux-announce AT
  • Subject: [[Linux-announce] ] Possible SE-Linux context changes for Puppet managed mountpoints
  • Date: Tue, 21 Mar 2023 17:07:48 +0100
  • Arc-authentication-results: i=1; 1; spf=pass (sender ip is; dmarc=pass (p=none sp=none pct=100) action=none; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eQzGoXcc448RqZlo9VmrZmsjlyWz90gfPL+uw5pIJ28=; b=JYIiBMgguTYTHyTh97NLB6v/WucPnQjUqJmKt6v1LSlzC12ptI4sE0LaIYkBhsBGsE/xy4EVk9LgiqPCLVWDizBzIV3we14Bf9jYr9dqWtwLJAQmIpbQv7P2wlXEKozmI36RkwvEvMuBR3X51eYxy2vfZO+22ZdAzu/8sQnjKixteWH5fn0tRz8a47SGFu/jdTbCb/Q7omvFme0spwwnCjjEFMAuVnHB3F9hXsqYd9fks//RZpJ1aG3irerq24Zdc0748PKZ3jSBf/N4gN/R1VcKluO6RlAsolKsqHYARIZuiVtSn6vEOOFvbnkLemE8Dzq9ONyKWMMlefk/29rQ7g==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=kGYcWv+whOpGGQYShpi1M3tfIQtwSgfzu/Q2jzc/Zbn54daNR0FXi+B4saeN8SF0f3++8FFqOl5cv7G/EJoTwwwzg3rzpFpGCvdhqVQLSmmon4ZKKDQXx1R1Nrg6wQOiyi0AL2Z/I2ldmegZzePifbLVNIKEG5VeBukIHBxNBI7poxSfdGlUyvVt1D2KxWlEF9cHx0gsd1hyHPBUySXsL/sMyGETz61jeNTTAWGjYmOnJbkiFzAU4md6CktvZuoHyVQU4JoKxncLO6nnoCorZIOd2HXuNsM8z049OSutiILUHDbc/261U2PG68wJcXSspWg6iNAFEtR8fzWOSo++dA==
  • Authentication-results:; iprev=pass ( smtp.remote-ip=; spf=pass; dkim=pass header.s=selector2 header.a=rsa-sha256; dmarc=pass
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none;

Dear Linux Administrators

Today we merged a change to preprod [1] which may change the SE-Linux context of Puppet managed mountpoints or directories leading to it.

The changes we detected during our tests were sensible, still there is no guarantee that this also accounts for your system.

You may check with

puppet agent -t --environment preprod --noop

if there are any changes like

Notice: /Stage[main]/Profile::Mounter/Profile::Mounter::Mount[/netapp/data1]/Profile::Recursive_directories[/netapp/data1]/File[/netapp]/seluser: current_value 'unconfined_u', should be 'system_u' (noop)

and if they are fine.

Without "--noop" it will apply the change, but going back to "prod" will not undo these changes, as they were not set by Puppet before.

If you are unsure if you have a node with SE-Linux enabled, check out the list [2].

Without veto that change will be rolled out to prod on Tue 28.03.2023.

Kind regards


Paul Scherrer Institut
Konrad Bucheli
Linux Systems Engineer
Core Linux Research Services
Science IT Infrastructure and Services department (AWI)
Forschungstrasse 111
5232 Villigen PSI

Phone: +41 56 310 27 24
konrad.bucheli AT

  • [[Linux-announce] ] Possible SE-Linux context changes for Puppet managed mountpoints, Konrad Bucheli (PSI), 03/21/2023

Archive powered by MHonArc 2.6.24.

Top of Page