On 04/12/2016 02:31 PM, James Hogarth wrote:
> For example:
>
> unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on
> &> /dev/null"
D'oh! That's what I get for overcomplicating the whole darn thing. :)
>
> Incidentally one nice trick if you're dealing with potentially changing
> multiple booleans and the policy compile time is to either skip -P and
> understand it's not persistent so puppet needs to fix at boot, or passing
> multiple booleans to setsebool at the same time so the compile only happens
> once.
Huh. Stacking setsebool has a lot of potential. I should add remedial
man-page reading to my list of tasks.
I'm of the camp that systems should come up in a ready state, regardless
of the immediate availability of puppet. So, using puppet to push
SELinux changes without committing to on-disk policy alarms me.
Thanks for the ideas!
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
