The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #9054

selboolean reports error if selinux is not enabled

Added by Darrell Fuhriman over 4 years ago. Updated about 2 years ago.

Status:Code InsufficientStart date:08/17/2011
Priority:NormalDue date:
Assignee:Sean Millichamp% Done:

0%

Category:SELinux
Target version:-
Affected Puppet version: Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket is now tracked at: https://tickets.puppetlabs.com/browse/PUP-1844


Description

If an selboolean is defined for a class, but is executing on a host that does not have SELinux enabled, an error is reported. e.g.:

Execution of ‘/usr/sbin/getsebool httpd_can_network_connect’ returned 1: /usr/sbin/getsebool: SELinux is disabled

It should not be considered a failure, but perhaps a warning if you try to set/get an SELinux boolean on a host that does not have selinux enabled.

Before setting/getting the boolean, a quick call to getenforce could be made, and a warning issued if it returns “Disabled”.

History

#1 Updated by James Turnbull over 4 years ago

  • Description updated (diff)
  • Status changed from Unreviewed to Needs Decision
  • Assignee set to Sean Millichamp

Sean – if you have a chance but no dramas if it’s not convenient.

#2 Updated by Sean Millichamp over 4 years ago

I’ve looked at this and I agree that the selboolean type ought to do nothing if SELinux is disabled. A workaround is to check the facter “selinux” variable to see if it is true or false and conditional it appropriately in the Puppet manifest.

I have a modified selboolean type that seems to properly detect and ignore a disabled SELinux, but it needs some polishing and likely a unit test.

#3 Updated by Cristian Ciupitu over 4 years ago

+1 for not doing anything if SELinux is disabled. I’m using puppet-2.6.11-1.el6.noarch on an OpenVZ container and I’m affected by this.

#4 Updated by Franz Pletz over 4 years ago

Sean, if you make the code available to me, I’ll polish it and write the tests. :)

#5 Updated by Franz Pletz over 4 years ago

  • Status changed from Needs Decision to Code Insufficient

#6 Updated by Sean Millichamp over 4 years ago

Franz,

I have pushed what I have to https://github.com/seanmil/puppet/tree/selinux/bug/9054_selboolean_fix

I took a stab at putting some tests together for it, but my RSpec-fu is too weak for the amount of time I have/had available.

I have a feeling that the selboolean type could be rewritten a lot cleaner, but for now I think the fixes in the above branch should address the reported issue. It has been a number of months since I originally hacked on it, but I did some limited testing on systems with SELinux installed but disabled and it seemed to address the issue. If the original reporters want to give the fix a spin that would be great.

Thanks!

#7 Updated by John Florian about 2 years ago

Redmine Issue #9054 has been migrated to JIRA:

https://tickets.puppetlabs.com/browse/PUP-1844

Also available in: Atom PDF