- From: Sean OMeara <
>
- To:
- Subject: [chef] Re: Re: SELinux - not supported?
- Date: Fri, 23 Dec 2011 12:07:36 -0500
Hi Peter,
I have experimental SELinux monkey patches for File and Directory
resources here:
https://github.com/someara/cookbooks/tree/selinux-monkeys
It tries to guess sane defaults by examining the default context for
the directory a file would be written to, and provides a way to
override it via the selinux_label attribute. Right now you have to
pass the whole label in as a text string instead of in parts.
Please feel free to test them!
Note that you'll need to install libselinux-ruby as a system
prerequisite before running Chef, since there's no way to get the
package installed via Chef because of the order Chef loads code.
-s
On Fri, Dec 23, 2011 at 11:22 AM, Joshua Timberman
<
>
wrote:
>
Ohai Chefs!
>
>
We have an issue at tickets.opscode.com for this topic:
>
>
http://tickets.opscode.com/browse/COOK-759
>
>
This ticket covers:
>
>
* Setting enforcing/permissive/disabled based on an attribute
>
* Installing selinux Ruby library bindings
>
* Managing security contexts for Chef resources.
>
>
These features should be added to our existing "selinux" cookbook,
>
which currently only had recipes that set the local policy to
>
enforcing, permissive or disabled, respectively.
>
>
>
On Thu, Dec 22, 2011 at 3:33 PM, Burkholder, Peter
>
<
>
>
wrote:
>
> Hi Chef Users:
>
>
>
> My initial NTP cookbook failed on a fresh RHEL 5.7 install because the new
>
> config file had the wrong selinux context.
>
>
>
> {code}
>
> $ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
>
> -rw-r--r-- root root user_u:object_r:tmp_t:s0 /etc/ntp.conf
>
> -rw-r--r-- root root user_u:object_r:var_lib_t:s0
>
> /var/lib/chef/etc/ntp.conf.chef-20111222165615
>
> {code}
>
>
>
> Okay, no problem. I'll just add the file context like I did with Puppet:
>
>
>
> {code}
>
> seluser => "user_u",
>
> selrole => "object_r",
>
> seltype => "var_lib_t",
>
> {code}
>
>
>
> Oh, but wait, it seems there's no such support in Chef. Is that so? All
>
> I can find are various open tickets such as:
>
> http://tickets.opscode.com/browse/COOK-759
>
> http://tickets.opscode.com/browse/COOK-347
>
> http://tickets.opscode.com/browse/CHEF-1890
>
>
>
> The current cookbook says only this, "users are recommended to set SELinux
>
> to permissive mode, or disabled completely."
>
>
>
> I'm surprised and disappointed that this is the case. Is there really no
>
> one using SeLinux under Chef? Or is there a secret I'm not yet in on?
>
>
>
> Thanks,
>
>
>
> Peter
>
>
>
>
>
> --
>
> Peter Burkholder | Sr. System Administrator (consultant)
>
> AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC
>
> 20049
>
>
>
> | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
>
> For optimal efficiency, I check email at 2-hour intervals during the
>
> workday
>
> (except when on-call). Please use IM or phone to contact me for urgent
>
> matters
>
>
>
>
>
>
--
>
Opscode, Inc
>
Joshua Timberman, Technical Program Manager
>
IRC, Skype, Twitter, Github: jtimberman
- [chef] Re: SELinux - not supported?, (continued)
Archive powered by MHonArc 2.6.16.