linux-announce AT lists.psi.ch
Subject: Linux Mailing List
List archive
[[Linux-announce] ] Possible SE-Linux context changes for Puppet managed mountpoints
Chronological Thread
- From: "Konrad Bucheli (PSI)" <konrad.bucheli AT psi.ch>
- To: linux-announce AT lists.psi.ch
- Subject: [[Linux-announce] ] Possible SE-Linux context changes for Puppet managed mountpoints
- Date: Tue, 21 Mar 2023 17:07:48 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.47.22.45) smtp.rcpttodomain=lists.psi.ch smtp.mailfrom=psi.ch; dmarc=pass (p=none sp=none pct=100) action=none header.from=psi.ch; dkim=none (message not signed); arc=none (0)
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eQzGoXcc448RqZlo9VmrZmsjlyWz90gfPL+uw5pIJ28=; b=JYIiBMgguTYTHyTh97NLB6v/WucPnQjUqJmKt6v1LSlzC12ptI4sE0LaIYkBhsBGsE/xy4EVk9LgiqPCLVWDizBzIV3we14Bf9jYr9dqWtwLJAQmIpbQv7P2wlXEKozmI36RkwvEvMuBR3X51eYxy2vfZO+22ZdAzu/8sQnjKixteWH5fn0tRz8a47SGFu/jdTbCb/Q7omvFme0spwwnCjjEFMAuVnHB3F9hXsqYd9fks//RZpJ1aG3irerq24Zdc0748PKZ3jSBf/N4gN/R1VcKluO6RlAsolKsqHYARIZuiVtSn6vEOOFvbnkLemE8Dzq9ONyKWMMlefk/29rQ7g==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kGYcWv+whOpGGQYShpi1M3tfIQtwSgfzu/Q2jzc/Zbn54daNR0FXi+B4saeN8SF0f3++8FFqOl5cv7G/EJoTwwwzg3rzpFpGCvdhqVQLSmmon4ZKKDQXx1R1Nrg6wQOiyi0AL2Z/I2ldmegZzePifbLVNIKEG5VeBukIHBxNBI7poxSfdGlUyvVt1D2KxWlEF9cHx0gsd1hyHPBUySXsL/sMyGETz61jeNTTAWGjYmOnJbkiFzAU4md6CktvZuoHyVQU4JoKxncLO6nnoCorZIOd2HXuNsM8z049OSutiILUHDbc/261U2PG68wJcXSspWg6iNAFEtR8fzWOSo++dA==
- Authentication-results: mc4.ethz.ch; iprev=pass (mail-gv0che01on2057.outbound.protection.outlook.com) smtp.remote-ip=40.107.23.57; spf=pass smtp.mailfrom=psi.ch; dkim=pass header.d=psi.ch header.s=selector2 header.a=rsa-sha256; dmarc=pass header.from=psi.ch
- Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=psi.ch;
Dear Linux Administrators
Today we merged a change to preprod [1] which may change the SE-Linux context of Puppet managed mountpoints or directories leading to it.
The changes we detected during our tests were sensible, still there is no guarantee that this also accounts for your system.
You may check with
puppet agent -t --environment preprod --noop
if there are any changes like
Notice: /Stage[main]/Profile::Mounter/Profile::Mounter::Mount[/netapp/data1]/Profile::Recursive_directories[/netapp/data1]/File[/netapp]/seluser: current_value 'unconfined_u', should be 'system_u' (noop)
and if they are fine.
Without "--noop" it will apply the change, but going back to "prod" will not undo these changes, as they were not set by Puppet before.
If you are unsure if you have a node with SE-Linux enabled, check out the list [2].
Without veto that change will be rolled out to prod on Tue 28.03.2023.
Kind regards
Konrad
[1] https://git.psi.ch/linux-infra/puppet/-/merge_requests/961
[2] https://puppet01.psi.ch/puppetboard/fact/selinux_current_mode/%22enforcing%22
--
Paul Scherrer Institut
Konrad Bucheli
Linux Systems Engineer
Core Linux Research Services
Science IT Infrastructure and Services department (AWI)
WHGA/038
Forschungstrasse 111
5232 Villigen PSI
Switzerland
Phone: +41 56 310 27 24
konrad.bucheli AT psi.ch
www.psi.ch
- [[Linux-announce] ] Possible SE-Linux context changes for Puppet managed mountpoints, Konrad Bucheli (PSI), 03/21/2023
Archive powered by MHonArc 2.6.24.