default SELinux mode and override possibility

[mikalsande]

As far as I can see the default SELinux mode is set to "disabled".

In the environment I am managing we are using SELinux in "enforcing" mode by default. I can achieve that with this module by either including the config below in baseclass.pp

class { selinux:
mode => 'enforcing'
}

Or, I can edit the manifests/params.pp file. I have opted for the latter, but it is a bit hackish and intrusive to your module.

What I can't seem to figure out is how to override this setting on a per host basis. There are hosts in the environement I am managing that we cannot have SELinux in enforcing mode, for various reasons.

What I am asking for is a way to set the default to enforcing in a proper manner, something that can be put in our baseclass.pp. And also a way to override the default setting on a per host basis.

[purplexa]

You shouldn't be modifying the params.pp, that's the point of the class being parameterized. If you want to set different values per-host, either you need to have the logic in your Puppet code that determines the value and then pass that for the parameter, you need to include the selinux class separately per host (or per group of hosts with the same settings), or you need to inject the data via Hiera or an ENC.

[mikalsande]

Because of #64 we had to do something to get around the unintended default behavior.

We have a baseclass.pp that we use on all our servers, this can be further divided into logical server groups. But however we divide things into logical groups that there will be exceptions to the rule of having SELinux enabled per default. How can one override the default setting?

What I am looking for is an override option. We would like to have a default (global or per group of servers) that ensures that SELinux is in enforcing mode. There are always exceptions to such rules whether we like it or not. How can we override the default to set SELinux in permissive mode on a per host basis?

[purplexa]

You'd do something like this:

class baseclass ($selinux_mode = 'enforcing') {
  class { 'selinux':
    mode => $selinux_mode,
  }
}

Then you can set selinux_mode either by modifying where you include baseclass, using Hiera automatic data bindings, or using an ENC.

You could also do something like create a fact for whether you want SELinux or not or manually use the hiera() function to get a value, but those aren't really best-practice for this use case.

[purplexa]

Oh, the other option is since #67 fixed the module to not manage the SELinux mode when you don't explicitly set it, you can manually set it on every node and not specify it with the module, but that's just decreasing what you manage, which really isn't a solution.