David Glass
2012-Jan-04 08:58 UTC
[Puppet Users] installing Nagios client with selinux enabled
Hi, I''m new to Puppet so may be going about this completely the wrong
way, or perhaps it is an selinux problem rather than a Puppet problem.
I have a problem copying a file and changing the seltype. I don''t
think it is Nagios specific. Code is something like:
file {
''/usr/sbin/nrpe'':
source =>
"puppet://$puppetserver/modules/nagios/nagios/libexec/nrpe",
owner => ''root'',
group => ''root'',
notify => Service[''nagios''],
}
exec {
''chcon'':
command => "/usr/bin/chcon -R -t bin_t /usr/sbin/nrpe",
subscribe => File[''/usr/sbin/nrpe''],
}
What happens is that Puppet always updates the file because the
seltype appears to be wrong. This means that the exec is always called
and the service is always restarted:
notice: /File[/usr/sbin/nrpe]/seltype: seltype changed ''bin_t''
to
''nrpe_exec_t''
info: /File[/usr/sbin/nrpe]: Scheduling refresh of Exec[chcon]
info: /File[/usr/sbin/nrpe]: Scheduling refresh of Service[nagios]
notice: /Stage[main]/Tools::Nagios/Service[nagios]: Triggered
''refresh'' from 1 events
notice: /Stage[main]/Nagios/Exec[chcon]/returns: executed successfully
notice: /Stage[main]/Nagios/Exec[chcon]: Triggered ''refresh''
from 1
events
Is there any way to get out of this loop. Nagios will not start unless
the seltyp is changed.
Thanks
David
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Bernd Adamowicz
2012-Jan-06 09:20 UTC
AW: [Puppet Users] installing Nagios client with selinux enabled
I''m not sure, but you could try changing the SELinux stuff with Puppet configuration instead of ''chcon''. I got a little description here: http://berndadamowicz.wordpress.com/2011/12/16/nrpe-and-selinux/. Be aware that the SELinux attributes might be changed back after Puppet has applied the changes by some OS specific processes. But I have not enough SELinux knowledge to give any further hint on that. Bernd> -----Ursprüngliche Nachricht----- > Von: puppet-users@googlegroups.com [mailto:puppet- > users@googlegroups.com] Im Auftrag von David Glass > Gesendet: Mittwoch, 4. Januar 2012 09:58 > An: Puppet Users > Betreff: [Puppet Users] installing Nagios client with selinux enabled > > Hi, I''m new to Puppet so may be going about this completely the wrong > way, or perhaps it is an selinux problem rather than a Puppet problem. > I have a problem copying a file and changing the seltype. I don''t think > it is Nagios specific. Code is something like: > > file { > ''/usr/sbin/nrpe'': > source => > "puppet://$puppetserver/modules/nagios/nagios/libexec/nrpe", > owner => ''root'', > group => ''root'', > notify => Service[''nagios''], > } > exec { > ''chcon'': > command => "/usr/bin/chcon -R -t bin_t /usr/sbin/nrpe", > subscribe => File[''/usr/sbin/nrpe''], > } > > What happens is that Puppet always updates the file because the seltype > appears to be wrong. This means that the exec is always called and the > service is always restarted: > notice: /File[/usr/sbin/nrpe]/seltype: seltype changed ''bin_t'' to > ''nrpe_exec_t'' > info: /File[/usr/sbin/nrpe]: Scheduling refresh of Exec[chcon] > info: /File[/usr/sbin/nrpe]: Scheduling refresh of Service[nagios] > notice: /Stage[main]/Tools::Nagios/Service[nagios]: Triggered ''refresh'' > from 1 events > notice: /Stage[main]/Nagios/Exec[chcon]/returns: executed successfully > notice: /Stage[main]/Nagios/Exec[chcon]: Triggered ''refresh'' from 1 > events > > Is there any way to get out of this loop. Nagios will not start unless > the seltyp is changed. > > Thanks > David > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet- > users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2012-Jan-06 16:08 UTC
[Puppet Users] Re: installing Nagios client with selinux enabled
On Jan 6, 3:20 am, Bernd Adamowicz <Bernd.Adamow...@esailors.de> wrote:> I''m not sure, but you could try changing the SELinux stuff with Puppet configuration instead of ''chcon''. I got a little description here:http://berndadamowicz.wordpress.com/2011/12/16/nrpe-and-selinux/. > > Be aware that the SELinux attributes might be changed back after Puppet has applied the changes by some OS specific processes. But I have not enough SELinux knowledge to give any further hint on that.Yes, it''s much better to specify the desired SELinux parameters in the File declaration than to change them after the fact via an Exec resource. Consult the Puppet type reference for documentation of these properties: http://docs.puppetlabs.com/references/stable/type.html#file . It is rarely a good idea to manage the same actual resource via multiple Puppet resources (as you try to do). Puppet tries to avoid letting you do so, but with an Exec you can do just about anything. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.