[chef] Re: Re: Re: SELinux - not supported?

["Burkholder, Peter" < >]

I'll snip the feedback (and thanks so much for that), and reframe the 
question in terms of "What would you do?" when you see your options as the 
following:

1) Set SELinux to 'permissive' instead of 'enforcing'
* Not really and option here, as we've been running RHEL with SELinux in 
enforcing mode for at least four years, and we tout it as being part of our 
defense-in-depth strategy

2) Abandon Chef try again with Puppet as our configuration management system
[This section is not open for comments]

3) Use/Adapt Chef to provide the SELInux support we need:

3.1) Wait until the project provides selinux file context in the file 
resource 

3.2) Add the patches to provide this, either doing so myself or paying 
someone to do so.  
-- I don't know if we have the budget to do this
-- I don't know if I have the time, with my rusty Ruby skills, to do this 
very well myself

3.3) Work around the lack of SELinux support by using Ruby or Shell blocks in 
the code to set file context appropriately, even if it's not done 
idempotently.

Clearly, 3.2 is _right_ answer, but even that is fraught, as then we'd be 
using our own build of Chef until the new code is pulled into the project. 

Any further thoughts out there?

-Peter
--
Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049

 
 | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
 For optimal efficiency, I check email at 2-hour intervals during the workday
 (except when on-call). Please use IM or phone to contact me for urgent 
matters