chef - [chef] Re: SELinux - not supported?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: SELinux - not supported?

From: Joshua Timberman < >
To:
Subject: [chef] Re: SELinux - not supported?
Date: Fri, 23 Dec 2011 09:22:28 -0700

Ohai Chefs!

We have an issue at tickets.opscode.com for this topic:

http://tickets.opscode.com/browse/COOK-759

This ticket covers:

* Setting enforcing/permissive/disabled based on an attribute
* Installing selinux Ruby library bindings
* Managing security contexts for Chef resources.

These features should be added to our existing "selinux" cookbook,
which currently only had recipes that set the local policy to
enforcing, permissive or disabled, respectively.

On Thu, Dec 22, 2011 at 3:33 PM, Burkholder, Peter
< >
wrote:
> Hi Chef Users:
>
> My initial NTP cookbook failed on a fresh RHEL 5.7 install because the new
> config file had the wrong selinux context.
>
> {code}
> $ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
> -rw-r--r--  root root user_u:object_r:tmp_t:s0         /etc/ntp.conf
> -rw-r--r--  root root user_u:object_r:var_lib_t:s0
> /var/lib/chef/etc/ntp.conf.chef-20111222165615
> {code}
>
> Okay, no problem.  I'll just add the file context like I did with Puppet:
>
> {code}
>    seluser => "user_u",
>    selrole => "object_r",
>    seltype => "var_lib_t",
> {code}
>
> Oh, but wait, it seems there's no such support in Chef.  Is that so?  All I
> can find are various open tickets such as:
> http://tickets.opscode.com/browse/COOK-759
> http://tickets.opscode.com/browse/COOK-347
> http://tickets.opscode.com/browse/CHEF-1890
>
> The current cookbook says only this, "users are recommended to set SELinux
> to permissive mode, or disabled completely."
>
> I'm surprised and disappointed that this is the case.  Is there really no
> one using SeLinux under Chef?  Or is there a secret I'm not yet in on?
>
> Thanks,
>
> Peter
>
>
> --
> Peter Burkholder | Sr. System Administrator (consultant)
> AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC
> 20049
>
>  | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
>  For optimal efficiency, I check email at 2-hour intervals during the
> workday
>  (except when on-call). Please use IM or phone to contact me for urgent
> matters
>

--
Opscode, Inc
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman

[chef] SELinux - not supported?, Burkholder, Peter, 12/22/2011
- [chef] Re: SELinux - not supported?, Matthew Kent, 12/22/2011
  - [chef] Re: Re: SELinux - not supported?, Bryan Berry, 12/22/2011
  - [chef] Re: Re: SELinux - not supported?, KC Braunschweig, 12/22/2011
    - [chef] Re: Re: Re: SELinux - not supported?, Burkholder, Peter, 12/23/2011
      - [chef] Re: Re: Re: Re: SELinux - not supported?, Jake Vanderdray, 12/23/2011
      - [chef] Re: Re: Re: Re: SELinux - not supported?, Dmitry Zamaruev, 12/23/2011
  - [chef] Re: Re: SELinux - not supported?, Ranjib Dey, 12/22/2011
  - [chef] Re: Re: SELinux - not supported?, Andrea Campi, 12/22/2011
- [chef] Re: SELinux - not supported?, Alex Howells, 12/22/2011
- [chef] Re: SELinux - not supported?, Joshua Timberman, 12/23/2011
  - [chef] Re: Re: SELinux - not supported?, Sean OMeara, 12/23/2011
    - [chef] Re: Re: Re: SELinux - not supported?, Burkholder, Peter, 12/23/2011
      - [chef] Re: Re: Re: Re: SELinux - not supported?, Sean OMeara, 12/24/2011