[CentOS] selinux getsebool request

Wed Apr 13 08:50:29 UTC 2016
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Tue, 12 Apr 2016, John Jasen wrote:

> On 04/12/2016 02:31 PM, James Hogarth wrote:
>> For example:
>>
>> unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on
>> &> /dev/null"
>
> D'oh! That's what I get for overcomplicating the whole darn thing. :)
>>
>> Incidentally one nice trick if you're dealing with potentially changing
>> multiple booleans and the policy compile time is to either skip -P and
>> understand it's not persistent so puppet needs to fix at boot, or passing
>> multiple booleans to setsebool at the same time so the compile only happens
>> once.
>
> Huh. Stacking setsebool has a lot of potential. I should add remedial
> man-page reading to my list of tasks.
>
> I'm of the camp that systems should come up in a ready state, regardless
> of the immediate availability of puppet. So, using puppet to push
> SELinux changes without committing to on-disk policy alarms me.

I'm not sure I entirely understand this discussion.  Isn't this what puppet
does by default with selboolean?

# puppet resource selboolean httpd_can_network_connect value=on persistent=true --debug
Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8
Debug: Loaded state in 0.15 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Enabling persistence
Debug: Executing '/usr/sbin/setsebool -P httpd_can_network_connect on'
Notice: /Selboolean[httpd_can_network_connect]/value: value changed 'off' to 'on'
Debug: Finishing transaction 19351060
Debug: Storing state
Debug: Stored state in 0.20 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
selboolean { 'httpd_can_network_connect':
   value => 'on',
}

Here you see it checking the value, deciding it's wrong, then setting it.

# puppet resource selboolean httpd_can_network_connect value=on persistent=true --debug
Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8
Debug: Loaded state in 0.15 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
Debug: Finishing transaction 18309580
Debug: Storing state
Debug: Stored state in 0.18 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
selboolean { 'httpd_can_network_connect':
   value => 'on',
}

Here it checks it, then leaves it alone as it's correct.

What am I missing?

jh