On 13 April 2016 at 09:50, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote: > On Tue, 12 Apr 2016, John Jasen wrote: > > On 04/12/2016 02:31 PM, James Hogarth wrote: >> >>> For example: >>> >>> unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep >>> on >>> &> /dev/null" >>> >> >> D'oh! That's what I get for overcomplicating the whole darn thing. :) >> >>> >>> Incidentally one nice trick if you're dealing with potentially changing >>> multiple booleans and the policy compile time is to either skip -P and >>> understand it's not persistent so puppet needs to fix at boot, or passing >>> multiple booleans to setsebool at the same time so the compile only >>> happens >>> once. >>> >> >> Huh. Stacking setsebool has a lot of potential. I should add remedial >> man-page reading to my list of tasks. >> >> I'm of the camp that systems should come up in a ready state, regardless >> of the immediate availability of puppet. So, using puppet to push >> SELinux changes without committing to on-disk policy alarms me. >> > > I'm not sure I entirely understand this discussion. Isn't this what puppet > does by default with selboolean? > > # puppet resource selboolean httpd_can_network_connect value=on > persistent=true --debug > Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, > run_mode=user, default_encoding=UTF-8 > Debug: Loaded state in 0.15 seconds > Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): > Retrieving value of selboolean httpd_can_network_connect > Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' > Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): > Enabling persistence > Debug: Executing '/usr/sbin/setsebool -P httpd_can_network_connect on' > Notice: /Selboolean[httpd_can_network_connect]/value: value changed 'off' > to 'on' > Debug: Finishing transaction 19351060 > Debug: Storing state > Debug: Stored state in 0.20 seconds > Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): > Retrieving value of selboolean httpd_can_network_connect > Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' > selboolean { 'httpd_can_network_connect': > value => 'on', > } > > Here you see it checking the value, deciding it's wrong, then setting it. > > # puppet resource selboolean httpd_can_network_connect value=on > persistent=true --debug > Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, > run_mode=user, default_encoding=UTF-8 > Debug: Loaded state in 0.15 seconds > Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): > Retrieving value of selboolean httpd_can_network_connect > Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' > Debug: Finishing transaction 18309580 > Debug: Storing state > Debug: Stored state in 0.18 seconds > Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): > Retrieving value of selboolean httpd_can_network_connect > Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect' > selboolean { 'httpd_can_network_connect': > value => 'on', > } > > Here it checks it, then leaves it alone as it's correct. > > What am I missing? > > > Nothing haha ... been awhile since I used puppet now (and last job where I did had a policy of not enforcing selinux anyway) ... You are indeed correct that resource type is the better way to handle this - totally forgot it existed.