[CentOS] selinux getsebool request

Wed Apr 13 09:12:40 UTC 2016
James Hogarth <james.hogarth at gmail.com>

On 13 April 2016 at 09:50, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote:

> On Tue, 12 Apr 2016, John Jasen wrote:
>
> On 04/12/2016 02:31 PM, James Hogarth wrote:
>>
>>> For example:
>>>
>>> unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep
>>> on
>>> &> /dev/null"
>>>
>>
>> D'oh! That's what I get for overcomplicating the whole darn thing. :)
>>
>>>
>>> Incidentally one nice trick if you're dealing with potentially changing
>>> multiple booleans and the policy compile time is to either skip -P and
>>> understand it's not persistent so puppet needs to fix at boot, or passing
>>> multiple booleans to setsebool at the same time so the compile only
>>> happens
>>> once.
>>>
>>
>> Huh. Stacking setsebool has a lot of potential. I should add remedial
>> man-page reading to my list of tasks.
>>
>> I'm of the camp that systems should come up in a ready state, regardless
>> of the immediate availability of puppet. So, using puppet to push
>> SELinux changes without committing to on-disk policy alarms me.
>>
>
> I'm not sure I entirely understand this discussion.  Isn't this what puppet
> does by default with selboolean?
>
> # puppet resource selboolean httpd_can_network_connect value=on
> persistent=true --debug
> Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0,
> run_mode=user, default_encoding=UTF-8
> Debug: Loaded state in 0.15 seconds
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Retrieving value of selboolean httpd_can_network_connect
> Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Enabling persistence
> Debug: Executing '/usr/sbin/setsebool -P httpd_can_network_connect on'
> Notice: /Selboolean[httpd_can_network_connect]/value: value changed 'off'
> to 'on'
> Debug: Finishing transaction 19351060
> Debug: Storing state
> Debug: Stored state in 0.20 seconds
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Retrieving value of selboolean httpd_can_network_connect
> Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
> selboolean { 'httpd_can_network_connect':
>   value => 'on',
> }
>
> Here you see it checking the value, deciding it's wrong, then setting it.
>
> # puppet resource selboolean httpd_can_network_connect value=on
> persistent=true --debug
> Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0,
> run_mode=user, default_encoding=UTF-8
> Debug: Loaded state in 0.15 seconds
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Retrieving value of selboolean httpd_can_network_connect
> Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
> Debug: Finishing transaction 18309580
> Debug: Storing state
> Debug: Stored state in 0.18 seconds
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Retrieving value of selboolean httpd_can_network_connect
> Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
> selboolean { 'httpd_can_network_connect':
>   value => 'on',
> }
>
> Here it checks it, then leaves it alone as it's correct.
>
> What am I missing?
>
>
>
Nothing haha ... been awhile since I used puppet now (and last job where I
did had a policy of not enforcing selinux anyway)  ...

You are indeed correct that resource type is the better way to handle this
- totally forgot it existed.