How do you do SELinux with Salt?

2,036 views
Skip to first unread message

Dominic Hopf

unread,
Feb 7, 2017, 11:15:17 AM2/7/17
to salt-...@googlegroups.com
Greetings,

I'm currently stumbling a bit when trying to use SELinux with Saltstack. There is at least two different things/issues, which currently don't work properly. Or probably I've just didn't found the right documentation, yet. :-)

One thing is, that I've tried to ensure SELinux is enabled using Salt according to this documentation:

When trying to run my Salt-Code I get an error message like this:

          ID: projectname-selinux-mode
    Function: selinux.mode
        Name: enforcing
      Result: False
     Comment: State 'selinux.mode' was not found in SLS 'projectname.selinux'
              Reason: 'selinux' __virtual__ returned False
     Changes:   
----------
          ID: projectname-selinux-nginx-module
    Function: selinux.module
        Name: nginx
      Result: False
     Comment: State 'selinux.module' was not found in SLS 'projectname.selinux'
              Reason: 'selinux' __virtual__ returned False
     Changes:   

It looks like the documented features just don't exist or were disabled for some reasons?

The second thing is that I'm trying to set the SELinux Context or Label, but the only feature I found for this is the file.set_selinux_context module as documented here:
It is okay to use it so far via module.run, but it's then executed at anytime without checking if the context already has properly been set before.
What I expected was more or less something similar to the mode you can set when using file.managed or file.directory.

So are there any guys out there who also use SELinux wiith SaltStack, if yes, how to you ensure it's enabled? How do you set contexts?

Thanks very much in advance for any ideas & Best Regards,
Dominic

Loren Gordon

unread,
Feb 7, 2017, 11:32:32 AM2/7/17
to Salt-users
We use salt to ensure selinux is enabled and enforcing, but do not manage contexts with salt. We found that we needed to install two packages for salt to load the selinux module.

yum install policycoreutils-python selinux-policy-targeted

That works for RHEL/CentOS. Can't speak to others.

-Loren

Dominic Hopf

unread,
Feb 8, 2017, 5:39:52 AM2/8/17
to salt-...@googlegroups.com
Hi Loren,

thanks very much for your response, installing those packages fixed at least the issue with setting the selnux.mode for me as well (also using CentOS 7 here).
For the contexts I'll stay with running the module for now.

Regards,
Dominic
Reply all
Reply to author
Forward
0 new messages