Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is selinux_config_mode? #222

Closed
ITler opened this issue May 18, 2016 · 9 comments
Closed

What is selinux_config_mode? #222

ITler opened this issue May 18, 2016 · 9 comments

Comments

@ITler
Copy link
Contributor

ITler commented May 18, 2016
edited
Loading

Hy,

I've upgraded to 2.3.1-rc0 and tried to install zabbix from scratch in my vagrant box. This have had worked the day before, but today after upgrade I get

Evaluation Error: Unknown variable: '::selinux_config_mode'. at /etc/puppetlabs/code/environments/dev/modules/zabbix/manifests/web.pp:429:14

The specs do not cover the case, when variable is not defined.

I'm working on a PR to make module run.
@ITler ITler mentioned this issue May 18, 2016
Merged
@bastelfreak
Copy link
Member

ah shit, I implemented selinux support, but the facts are only available on RHEL I think. I will provide a patch soon.

@ITler
Copy link
Contributor Author

ITler commented May 18, 2016
edited
Loading

My PR is getting green in travis.

@bastelfreak
Copy link
Member

ah nice, you did #223

@bastelfreak
Copy link
Member

this should be fixed now: #224

@sgnl05
Copy link
Contributor

sgnl05 commented Jun 3, 2016

@bastelfreak I don't think we need to check $::selinux_config_mode, as long as we check that $::osfamily is 'RedHat'. Setting selbooleans on RHEL systems with selinux disabled makes no difference. If selinux is in permissive mode, this seboolean would only affect what warnings selinux would log.

@sgnl05
Copy link
Contributor

sgnl05 commented Jun 3, 2016

In other words, I think zabbix_can_network should be set to 'on' no matter what state selinux is in. This of course goes for the proxy seboolean in #235 as well.

@bastelfreak
Copy link
Member

ah interesting, I didn't know that. This would add a useless resource to the catalog but takes complexity from the module (and mocking from the spec tests).

@igalic @jyaworski what do you think here, should we remove the check for selinux_config_mode and always set the selinux selboolean?

@jyaworski
Copy link
Member

Does Puppet handle selboolean and selmodule gracefully when selinux is disabled?

@igalic
Copy link
Contributor

igalic commented Jun 13, 2016
edited
Loading

@jyaworski my suspicion, with selstuff being rather built-in, would be yes.
but, let's just look at the code!!!

okay, so basically, the source code says, this provider does nothing much other than call getsebool/setsebool… so it boils down to how those binaries handle it.

sudo -H getsebool -a
getsebool:  SELinux is disabled
#  => return status 1

n.b.: i had to install selinux for this ;)
without the required commands this wouldn't work anyhow:

  commands :getsebool => "/usr/sbin/getsebool"
  commands :setsebool => "/usr/sbin/setsebool"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bastelfreak @jyaworski @igalic @ITler @sgnl05