On Tue, 12 Apr 2016, John Jasen wrote:
On 04/12/2016 02:31 PM, James Hogarth wrote:
For example:
unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on
&> /dev/null"
D'oh! That's what I get for overcomplicating the whole darn thing. :)
Incidentally one nice trick if you're dealing with potentially changing
multiple booleans and the policy compile time is to either skip -P and
understand it's not persistent so puppet needs to fix at boot, or passing
multiple booleans to setsebool at the same time so the compile only happens
once.
Huh. Stacking setsebool has a lot of potential. I should add remedial
man-page reading to my list of tasks.
I'm of the camp that systems should come up in a ready state, regardless
of the immediate availability of puppet. So, using puppet to push
SELinux changes without committing to on-disk policy alarms me.
I'm not sure I entirely understand this discussion. Isn't this what puppet
does by default with selboolean?
# puppet resource selboolean httpd_can_network_connect value=on persistent=true --debug
Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8
Debug: Loaded state in 0.15 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Enabling persistence
Debug: Executing '/usr/sbin/setsebool -P httpd_can_network_connect on'
Notice: /Selboolean[httpd_can_network_connect]/value: value changed 'off' to 'on'
Debug: Finishing transaction 19351060
Debug: Storing state
Debug: Stored state in 0.20 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
selboolean { 'httpd_can_network_connect':
value => 'on',
}
Here you see it checking the value, deciding it's wrong, then setting it.
# puppet resource selboolean httpd_can_network_connect value=on persistent=true --debug
Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8
Debug: Loaded state in 0.15 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
Debug: Finishing transaction 18309580
Debug: Storing state
Debug: Stored state in 0.18 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
selboolean { 'httpd_can_network_connect':
value => 'on',
}
Here it checks it, then leaves it alone as it's correct.
What am I missing?
jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
