[chef] Re: Re: Re: Re: SELinux - not supported?

[Jake Vanderdray < >]

I would think that 3.3 would be easy and could be idempotent.  You can
write execute blocks with only_if that will test the context before
doing a chcon.

On Fri, Dec 23, 2011 at 10:11 AM, Burkholder, Peter
<
 >
 wrote:
> I'll snip the feedback (and thanks so much for that), and reframe the 
> question in terms of "What would you do?" when you see your options as the 
> following:
>
> 1) Set SELinux to 'permissive' instead of 'enforcing'
> * Not really and option here, as we've been running RHEL with SELinux in 
> enforcing mode for at least four years, and we tout it as being part of our 
> defense-in-depth strategy
>
> 2) Abandon Chef try again with Puppet as our configuration management system
> [This section is not open for comments]
>
> 3) Use/Adapt Chef to provide the SELInux support we need:
>
> 3.1) Wait until the project provides selinux file context in the file 
> resource
>
> 3.2) Add the patches to provide this, either doing so myself or paying 
> someone to do so.
> -- I don't know if we have the budget to do this
> -- I don't know if I have the time, with my rusty Ruby skills, to do this 
> very well myself
>
> 3.3) Work around the lack of SELinux support by using Ruby or Shell blocks 
> in the code to set file context appropriately, even if it's not done 
> idempotently.
>
> Clearly, 3.2 is _right_ answer, but even that is fraught, as then we'd be 
> using our own build of Chef until the new code is pulled into the project.
>
> Any further thoughts out there?
>
> -Peter
> --
> Peter Burkholder | Sr. System Administrator (consultant)
> AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 
> 20049
> 
 
>  | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
>  For optimal efficiency, I check email at 2-hour intervals during the 
> workday
>  (except when on-call). Please use IM or phone to contact me for urgent 
> matters
>