Out of faint curiosity, how do we push change requests upstream to RHEL?
I'm using puppet to automate systems, including the application of SELinux policy. While setsebool -P is non-damaging to repeat, it is time consuming -- taking about 45 seconds per execution to process the existing policy and re-commit to disk.
I'd like a simple ability to put an unless in the execution of setsebool, to key off whether its necessary -- to reduce a SELinux puppet run from 250 seconds to about 60. Unfortunately, in the current format, getsebool has defeated me.
Would it be possible to have getsebool extended, so something like getsebool -b $variablename would return true or false as the exit code?
On 12 Apr 2016 6:10 p.m., "John Jasen" jjasen@realityfailure.org wrote:
Out of faint curiosity, how do we push change requests upstream to RHEL?
I'm using puppet to automate systems, including the application of SELinux policy. While setsebool -P is non-damaging to repeat, it is time consuming -- taking about 45 seconds per execution to process the existing policy and re-commit to disk.
I'd like a simple ability to put an unless in the execution of setsebool, to key off whether its necessary -- to reduce a SELinux puppet run from 250 seconds to about 60. Unfortunately, in the current format, getsebool has defeated me.
Would it be possible to have getsebool extended, so something like getsebool -b $variablename would return true or false as the exit code?
I'd start with a feature request upstream, or in Fedora, and then request a backport of that into RHEL after it is added.
For the purposes of your specific need can't you pipe getsebool to grep for your unless to check if it's set?
For example:
unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on &> /dev/null"
Incidentally one nice trick if you're dealing with potentially changing multiple booleans and the policy compile time is to either skip -P and understand it's not persistent so puppet needs to fix at boot, or passing multiple booleans to setsebool at the same time so the compile only happens once.
On 04/12/2016 02:31 PM, James Hogarth wrote:
For example:
unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on &> /dev/null"
D'oh! That's what I get for overcomplicating the whole darn thing. :)
Incidentally one nice trick if you're dealing with potentially changing multiple booleans and the policy compile time is to either skip -P and understand it's not persistent so puppet needs to fix at boot, or passing multiple booleans to setsebool at the same time so the compile only happens once.
Huh. Stacking setsebool has a lot of potential. I should add remedial man-page reading to my list of tasks.
I'm of the camp that systems should come up in a ready state, regardless of the immediate availability of puppet. So, using puppet to push SELinux changes without committing to on-disk policy alarms me.
Thanks for the ideas!
On Tue, 12 Apr 2016, John Jasen wrote:
On 04/12/2016 02:31 PM, James Hogarth wrote:
For example:
unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on &> /dev/null"
D'oh! That's what I get for overcomplicating the whole darn thing. :)
Incidentally one nice trick if you're dealing with potentially changing multiple booleans and the policy compile time is to either skip -P and understand it's not persistent so puppet needs to fix at boot, or passing multiple booleans to setsebool at the same time so the compile only happens once.
Huh. Stacking setsebool has a lot of potential. I should add remedial man-page reading to my list of tasks.
I'm of the camp that systems should come up in a ready state, regardless of the immediate availability of puppet. So, using puppet to push SELinux changes without committing to on-disk policy alarms me.
I'm not sure I entirely understand this discussion. Isn't this what puppet does by default with selboolean?
# puppet resource selboolean httpd_can_network_connect value=on persistent=true --debug Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8 Debug: Loaded state in 0.15 seconds Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Enabling persistence Debug: Executing '/usr/sbin/setsebool -P httpd_can_network_connect on' Notice: /Selboolean[httpd_can_network_connect]/value: value changed 'off' to 'on' Debug: Finishing transaction 19351060 Debug: Storing state Debug: Stored state in 0.20 seconds Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' selboolean { 'httpd_can_network_connect': value => 'on', }
Here you see it checking the value, deciding it's wrong, then setting it.
# puppet resource selboolean httpd_can_network_connect value=on persistent=true --debug Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8 Debug: Loaded state in 0.15 seconds Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' Debug: Finishing transaction 18309580 Debug: Storing state Debug: Stored state in 0.18 seconds Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' selboolean { 'httpd_can_network_connect': value => 'on', }
Here it checks it, then leaves it alone as it's correct.
What am I missing?
jh
On 13 April 2016 at 09:50, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 12 Apr 2016, John Jasen wrote:
On 04/12/2016 02:31 PM, James Hogarth wrote:
For example:
unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on &> /dev/null"
D'oh! That's what I get for overcomplicating the whole darn thing. :)
Incidentally one nice trick if you're dealing with potentially changing multiple booleans and the policy compile time is to either skip -P and understand it's not persistent so puppet needs to fix at boot, or passing multiple booleans to setsebool at the same time so the compile only happens once.
Huh. Stacking setsebool has a lot of potential. I should add remedial man-page reading to my list of tasks.
I'm of the camp that systems should come up in a ready state, regardless of the immediate availability of puppet. So, using puppet to push SELinux changes without committing to on-disk policy alarms me.
I'm not sure I entirely understand this discussion. Isn't this what puppet does by default with selboolean?
# puppet resource selboolean httpd_can_network_connect value=on persistent=true --debug Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8 Debug: Loaded state in 0.15 seconds Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Enabling persistence Debug: Executing '/usr/sbin/setsebool -P httpd_can_network_connect on' Notice: /Selboolean[httpd_can_network_connect]/value: value changed 'off' to 'on' Debug: Finishing transaction 19351060 Debug: Storing state Debug: Stored state in 0.20 seconds Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' selboolean { 'httpd_can_network_connect': value => 'on', }
Here you see it checking the value, deciding it's wrong, then setting it.
# puppet resource selboolean httpd_can_network_connect value=on persistent=true --debug Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8 Debug: Loaded state in 0.15 seconds Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' Debug: Finishing transaction 18309580 Debug: Storing state Debug: Stored state in 0.18 seconds Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' selboolean { 'httpd_can_network_connect': value => 'on', }
Here it checks it, then leaves it alone as it's correct.
What am I missing?
Nothing haha ... been awhile since I used puppet now (and last job where I did had a policy of not enforcing selinux anyway) ...
You are indeed correct that resource type is the better way to handle this - totally forgot it existed.
re: puppet selboolean
And ... a double d'oh! for the day. That's just what I was looking for!
Thanks for pointing it out!
On 12/04/16 19:10, John Jasen wrote:
Out of faint curiosity, how do we push change requests upstream to RHEL?
I'm using puppet to automate systems, including the application of SELinux policy. While setsebool -P is non-damaging to repeat, it is time consuming -- taking about 45 seconds per execution to process the existing policy and re-commit to disk.
I'd like a simple ability to put an unless in the execution of setsebool, to key off whether its necessary -- to reduce a SELinux puppet run from 250 seconds to about 60. Unfortunately, in the current format, getsebool has defeated me.
Would it be possible to have getsebool extended, so something like getsebool -b $variablename would return true or false as the exit code?
Trying to understand what you want to do, as puppet has native resource type for this :
class selinux::booleans::httpd_can_network_connect {
selboolean {'httpd_can_network_connect': value => on, persistent => true, } }
So why are you trying to use Exec resource type mixed with unless ?
-
Fabian Arrotin -
James Hogarth -
John Hodrien -
John Jasen