On 04/12/2016 02:31 PM, James Hogarth wrote: > For example: > > unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on > &> /dev/null" D'oh! That's what I get for overcomplicating the whole darn thing. :) > > Incidentally one nice trick if you're dealing with potentially changing > multiple booleans and the policy compile time is to either skip -P and > understand it's not persistent so puppet needs to fix at boot, or passing > multiple booleans to setsebool at the same time so the compile only happens > once. Huh. Stacking setsebool has a lot of potential. I should add remedial man-page reading to my list of tasks. I'm of the camp that systems should come up in a ready state, regardless of the immediate availability of puppet. So, using puppet to push SELinux changes without committing to on-disk policy alarms me. Thanks for the ideas!