Bug 862350

Summary: update_yaml.rb sets yaml file to wrong selinux context...
Product: OKD Reporter: Thomas Wiest <twiest>
Component: ContainersAssignee: Rob Millner <rmillner>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.xCC: mfisher, pruan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-06 18:48:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Wiest 2012-10-02 17:18:28 UTC 
Description of problem:
update_yaml.rb is creating the out_file in /tmp and then moving it, which sets the file's selinux context to this:

unconfined_u:object_r:user_tmp_t:s0

However, the context needs to be set to the context of where the file is moved to. In our case, we use /etc/mcollective/facts.yaml which needs an selinux context of (according to restorecon):

unconfined_u:object_r:etc_t:s0

A possible fix would be to use cp instead of mv since cp will set the context correctly for the new location. Then use rm to get rid of the tmp file.

Note: this is a new bug in this script. This was not a problem in r2.0.17.

Version-Release number of selected component (if applicable):
stickshift-mcollective-agent-0.4.1-1.el6_3.noarch

How reproducible:
very

Steps to Reproduce:
1. run: /usr/libexec/mcollective/update_yaml.rb /etc/mcollective/facts.yaml
2. run: restorecon -Rvn /etc/mcollective/facts.yaml
3. Notice that restorecon says that this file's context is wrong.
  
Actual results:
Wrong selinux context: unconfined_u:object_r:user_tmp_t:s0

Expected results:
Correct selinux context: unconfined_u:object_r:etc_t:s0
Comment 1 Rob Millner 2012-10-02 18:39:20 UTC 
Pull request https://github.com/openshift/crankcase/pull/576
Comment 2 Rob Millner 2012-10-02 21:09:38 UTC 
Pull request accepted into master.
Comment 3 Peter Ruan 2012-10-05 23:56:49 UTC 
verified with devenv_2288

root@ip-10-144-64-109 ~]# /usr/libexec/mcollective/update_yaml.rb /etc/mcollective/facts.yaml  
[root@ip-10-144-64-109 ~]# restorecon -Rvn /etc/mcollective/facts.yaml 
[root@ip-10-144-64-109 ~]# 


// note, there's no error.