On 04/12/2016 02:31 PM, James Hogarth wrote:
For example:
unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on &> /dev/null"
D'oh! That's what I get for overcomplicating the whole darn thing. :)
Incidentally one nice trick if you're dealing with potentially changing multiple booleans and the policy compile time is to either skip -P and understand it's not persistent so puppet needs to fix at boot, or passing multiple booleans to setsebool at the same time so the compile only happens once.
Huh. Stacking setsebool has a lot of potential. I should add remedial man-page reading to my list of tasks.
I'm of the camp that systems should come up in a ready state, regardless of the immediate availability of puppet. So, using puppet to push SELinux changes without committing to on-disk policy alarms me.
Thanks for the ideas!