Bug #9054
selboolean reports error if selinux is not enabled
| Status: | Code Insufficient | Start date: | 08/17/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Sean Millichamp |
% Done: | 0% |
|
| Category: | SELinux | |||
| Target version: | - | |||
| Affected Puppet version: | Branch: | |||
| Keywords: | ||||
| Votes: | 1 |
Description
If an selboolean is defined for a class, but is executing on a host that does not have SELinux enabled, an error is reported. e.g.:
Execution of ‘/usr/sbin/getsebool httpd_can_network_connect’ returned 1: /usr/sbin/getsebool: SELinux is disabled
It should not be considered a failure, but perhaps a warning if you try to set/get an SELinux boolean on a host that does not have selinux enabled.
Before setting/getting the boolean, a quick call to getenforce could be made, and a warning issued if it returns “Disabled”.
History
Updated by James Turnbull 9 months ago
- Description updated (diff)
- Status changed from Unreviewed to Needs Decision
- Assignee set to Sean Millichamp
Sean – if you have a chance but no dramas if it’s not convenient.
Updated by Sean Millichamp 8 months ago
I’ve looked at this and I agree that the selboolean type ought to do nothing if SELinux is disabled. A workaround is to check the facter “selinux” variable to see if it is true or false and conditional it appropriately in the Puppet manifest.
I have a modified selboolean type that seems to properly detect and ignore a disabled SELinux, but it needs some polishing and likely a unit test.
Updated by Cristian Ciupitu 6 months ago
+1 for not doing anything if SELinux is disabled. I’m using puppet-2.6.11-1.el6.noarch on an OpenVZ container and I’m affected by this.
Updated by Franz Pletz 4 months ago
Sean, if you make the code available to me, I’ll polish it and write the tests. :)
Updated by Franz Pletz 4 months ago
- Status changed from Needs Decision to Code Insufficient
Updated by Sean Millichamp 4 months ago
Franz,
I have pushed what I have to https://github.com/seanmil/puppet/tree/selinux/bug/9054_selboolean_fix
I took a stab at putting some tests together for it, but my RSpec-fu is too weak for the amount of time I have/had available.
I have a feeling that the selboolean type could be rewritten a lot cleaner, but for now I think the fixes in the above branch should address the reported issue. It has been a number of months since I originally hacked on it, but I did some limited testing on systems with SELinux installed but disabled and it seemed to address the issue. If the original reporters want to give the fix a spin that would be great.
Thanks!