selboolean with selinux disabled
Markus Falb
Hash: SHA1
Hi,
err: //cobbler::web/Selboolean[httpd_can_network_connect]: Failed to
retrieve current state of resource: Execution of '/usr/sbin/getsebool
httpd_can_network_connect' returned 1: /usr/sbin/getsebool: SELinux is
disabled
Is this behaviour intentional ? I mean, with selinux disabled it does
not make sense to call getsebool or setsebool. For what I want to
achieve (httpd can network connect) a disabled selinux is as good as
setsebool.
I wonder how to workaround this error. I tried the following, but this
does not work. I believe that selboolean does not support refreshing.
exec { "selinuxenabled":
command => "/bin/true",
onlyif => "/usr/sbin/selinuxenabled",
}
selboolean { "httpd_can_network_connect":
value => on,
subscribe => Exec["selinuxenabled"],
}
- --
best regards,
markus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwtQYMACgkQYoWFBIJE9eXjZwCeKmw8YhW3JzlD9FH33OYsaMkR
BewAoIf8F/ChGvoLYsWivEoxsC0qaJ/Z
=+DKT
-----END PGP SIGNATURE-----
Frank Sweetser
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> err: //cobbler::web/Selboolean[httpd_can_network_connect]: Failed to
> retrieve current state of resource: Execution of '/usr/sbin/getsebool
> httpd_can_network_connect' returned 1: /usr/sbin/getsebool: SELinux is
> disabled
The simplest way would probably be to make that chunk of the manifest
conditional on the selinux facts:
[root@jms ~]# facter -p | grep sel
selinux => true
selinux_enforced => false
selinux_mode => targeted
selinux_policyversion => 21
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
Patrick Mohr
On Jul 1, 2010, at 6:31 PM, Markus Falb wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> err: //cobbler::web/Selboolean[httpd_can_network_connect]: Failed to
> retrieve current state of resource: Execution of '/usr/sbin/getsebool
> httpd_can_network_connect' returned 1: /usr/sbin/getsebool: SELinux is
> disabled
>
>
> Is this behaviour intentional ? I mean, with selinux disabled it does
> not make sense to call getsebool or setsebool. For what I want to
> achieve (httpd can network connect) a disabled selinux is as good as
> setsebool.
That isn't quite true because if SELinux is ever re-enabled it might give the admin a nasty surprise if he thought the policies were actually set.
I don't have anything else to say because everything else I was going to say is covered better by Frank's email.
Markus Falb
Hash: SHA1
On 02/07/2010 05:20, Patrick Mohr wrote:
>
> On Jul 1, 2010, at 6:31 PM, Markus Falb wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> err: //cobbler::web/Selboolean[httpd_can_network_connect]: Failed to
>> retrieve current state of resource: Execution of '/usr/sbin/getsebool
>> httpd_can_network_connect' returned 1: /usr/sbin/getsebool: SELinux is
>> disabled
>>
>>
>> Is this behaviour intentional ? I mean, with selinux disabled it does
>> not make sense to call getsebool or setsebool. For what I want to
>> achieve (httpd can network connect) a disabled selinux is as good as
>> setsebool.
>
> That isn't quite true because if SELinux is ever re-enabled it might give the admin a nasty surprise if he thought the policies were actually set.
Correct, of course. Or do not play with such things on production
machines. Or manage selinux permissive/enforcing/disabled through puppet
as well as things like httpd can network connect.
> I don't have anything else to say because everything else I was going to say is covered better by Frank's email.
>
thanks to Frank.
thanks to you too, Patrick.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwuLGcACgkQYoWFBIJE9eV33wCfcnuLzlYtP9qK0nk7CsLD2mAD
0NQAn0ISyhatHFmZw6iq8R6kS3mD2ToK
=ITuS
-----END PGP SIGNATURE-----