Recent change to template resource behavior?


#1

I am trying to work on the selinux cookbook for various things. One of the main issues I wanted to address is described in CHEF-1856; the same problem has been driving me crazy for quite a while.

Basically, Chef will clobber the SELinux context of files generated from a template. This is still happening in 10.16.0.

Much to my surprise, the problem no longer seems to exist in 10.16.6. I didn’t see anything in the release notes about this issue being addressed.

Can anybody confirm that this has been fixed? And if so, was it fixed as a side effect of something else (and thus could regress easily), or has it been specifically addressed?

Thanks!


#2

I found thishttps://github.com/opscode/chef/commit/1ac62464201985b36043b460075ceb5f32bd8f22in
the differences between those two versions. Could that be what fixed
it? I know hardly anything about SELinux, but I thought someone on the
list had said something about the context being clobbered because the file
was created in a temporary directory and then moved into place. Is the
behavior different if you copy the file there instead?

If this was what caused the fix, then I would say that it wasn’t a
deliberate attempt to fix an SELinux problem, judging by the commit message.

-Matt Moretti

On Fri, Jan 11, 2013 at 8:04 PM, Kevin Keane (subscriptions) <
subscription@kkeane.com> wrote:

**

I am trying to work on the selinux cookbook for various things. One of the
main issues I wanted to address is described in CHEF-1856; the same problem
has been driving me crazy for quite a while.

Basically, Chef will clobber the SELinux context of files generated from a
template. This is still happening in 10.16.0.

Much to my surprise, the problem no longer seems to exist in 10.16.6. I
didn’t see anything in the release notes about this issue being addressed.

Can anybody confirm that this has been fixed? And if so, was it fixed as a
side effect of something else (and thus could regress easily), or has it
been specifically addressed?

Thanks!


#3

On Friday, January 11, 2013 at 5:55 PM, Matthew Moretti wrote:

I found this (https://github.com/opscode/chef/commit/1ac62464201985b36043b460075ceb5f32bd8f22) in the differences between those two versions. Could that be what fixed it? I know hardly anything about SELinux, but I thought someone on the list had said something about the context being clobbered because the file was created in a temporary directory and then moved into place. Is the behavior different if you copy the file there instead?

If this was what caused the fix, then I would say that it wasn’t a deliberate attempt to fix an SELinux problem, judging by the commit message.

-Matt Moretti

On Fri, Jan 11, 2013 at 8:04 PM, Kevin Keane (subscriptions) <subscription@kkeane.com (mailto:subscription@kkeane.com)> wrote:

I am trying to work on the selinux cookbook for various things. One of the main issues I wanted to address is described in CHEF-1856; the same problem has been driving me crazy for quite a while.

Basically, Chef will clobber the SELinux context of files generated from a template. This is still happening in 10.16.0.

Much to my surprise, the problem no longer seems to exist in 10.16.6. I didn’t see anything in the release notes about this issue being addressed.

Can anybody confirm that this has been fixed? And if so, was it fixed as a side effect of something else (and thus could regress easily), or has it been specifically addressed?

Thanks!

I should point out there is a behavior change between ruby 1.9.2 and 1.9.3 with the FileUtils.cp method. In both versions, it works by opening the source and destination (with File.open) and copying the content over. In ruby 1.9.2, the unix permissions are not specified, so you end up with whatever your umask dictates if the copy operation creates the file. In ruby 1.9.3, the original file is stat()ed and the permissions of the original are given as an argument to the File.open() method for the destination file.

Not really SELinux related, but something you may notice in your investigations.

At Opscode we’ve been discussing modifying the various file providers to use a consistent mechanism for creating the file and managing the content, but haven’t had the time to actually write any code. A patch that does this would be most welcome.


Daniel DeLeo


#4

I agree, that change was probably it.

Would it make sense to change CHEF-1856 from “wontfix” to “fixed” to prevent a regression in the future?

-----Original message-----
From:Matthew Moretti werebus@gmail.com
Sent:Fri 01-11-2013 05:55 pm
Subject:[chef] Re: Recent change to template resource behavior?
To:chef@lists.opscode.com;

I found this in the differences between those two versions. Could that be what fixed it? I know hardly anything about SELinux, but I thought someone on the list had said something about the context being clobbered because the file was created in a temporary directory and then moved into place. Is the behavior different if you copy the file there instead?
If this was what caused the fix, then I would say that it wasn’t a deliberate attempt to fix an SELinux problem, judging by the commit message.
-Matt Moretti

On Fri, Jan 11, 2013 at 8:04 PM, Kevin Keane (subscriptions) subscription@kkeane.com wrote:

I am trying to work on the selinux cookbook for various things. One of the main issues I wanted to address is described in CHEF-1856; the same problem has been driving me crazy for quite a while.

Basically, Chef will clobber the SELinux context of files generated from a template. This is still happening in 10.16.0.

Much to my surprise, the problem no longer seems to exist in 10.16.6. I didn’t see anything in the release notes about this issue being addressed.

Can anybody confirm that this has been fixed? And if so, was it fixed as a side effect of something else (and thus could regress easily), or has it been specifically addressed?

Thanks!


#5

On Friday, January 11, 2013 at 6:26 PM, Kevin Keane (subscriptions) wrote:

RE: [chef] Re: Recent change to template resource behavior?
I agree, that change was probably it.

Would it make sense to change CHEF-1856 from “wontfix” to “fixed” to prevent a regression in the future?

There should at least be a regression test. It’s probably pretty difficult to cover this with unit tests, but it would work well as a functional test.


Daniel DeLeo

-----Original message-----
From: Matthew Moretti werebus@gmail.com
Sent: Fri 01-11-2013 05:55 pm
Subject: [chef] Re: Recent change to template resource behavior?
To: chef@lists.opscode.com;
I found this (https://github.com/opscode/chef/commit/1ac62464201985b36043b460075ceb5f32bd8f22) in the differences between those two versions. Could that be what fixed it? I know hardly anything about SELinux, but I thought someone on the list had said something about the context being clobbered because the file was created in a temporary directory and then moved into place. Is the behavior different if you copy the file there instead?

If this was what caused the fix, then I would say that it wasn’t a deliberate attempt to fix an SELinux problem, judging by the commit message.

-Matt Moretti

On Fri, Jan 11, 2013 at 8:04 PM, Kevin Keane (subscriptions) <subscription@kkeane.com (mailto:subscription@kkeane.com)> wrote:

I am trying to work on the selinux cookbook for various things. One of the main issues I wanted to address is described in CHEF-1856; the same problem has been driving me crazy for quite a while.

Basically, Chef will clobber the SELinux context of files generated from a template. This is still happening in 10.16.0.

Much to my surprise, the problem no longer seems to exist in 10.16.6. I didn’t see anything in the release notes about this issue being addressed.

Can anybody confirm that this has been fixed? And if so, was it fixed as a side effect of something else (and thus could regress easily), or has it been specifically addressed?

Thanks!