[chef] Re: Re: Re: SELinux - not supported?

["Burkholder, Peter" < >]

Thanks for the patch, Sean.  I'll give this a try and see what happens. 

Is there any attendant RSpec or other test code that goes with this?

Thanks,

Peter
On Dec 23, 2011, at 12:07 PM, Sean OMeara wrote:

> Hi Peter,
> I have experimental SELinux monkey patches for File and Directory
> resources here:
> https://github.com/someara/cookbooks/tree/selinux-monkeys
> It tries to guess sane defaults by examining the default context for
> the directory a file would be written to, and provides a way to
> override it via the selinux_label attribute. Right now you have to
> pass the whole label in as a text string instead of in parts.
> Please feel free to test them!
> Note that you'll need to install libselinux-ruby as a system
> prerequisite before running Chef, since there's no way to get the
> package installed via Chef because of the order Chef loads code.
> -s
> On Fri, Dec 23, 2011 at 11:22 AM, Joshua Timberman 
> <
 >
>  wrote:
>> Ohai Chefs!
>> 
>> We have an issue at tickets.opscode.com for this topic:
>> 
>> http://tickets.opscode.com/browse/COOK-759
>> 
>> This ticket covers:
>> 
>> * Setting enforcing/permissive/disabled based on an attribute
>> * Installing selinux Ruby library bindings
>> * Managing security contexts for Chef resources.
>> 
>> These features should be added to our existing "selinux" cookbook,
>> which currently only had recipes that set the local policy to
>> enforcing, permissive or disabled, respectively.
>> 
>> 
>> On Thu, Dec 22, 2011 at 3:33 PM, Burkholder, Peter 
>> <
 >
>>  wrote:
>>> Hi Chef Users:
>>> 
>>> My initial NTP cookbook failed on a fresh RHEL 5.7 install because the 
>>> new config file had the wrong selinux context.
>>> 
>>> {code}
>>> $ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
>>> -rw-r--r--  root root user_u:object_r:tmp_t:s0         /etc/ntp.conf
>>> -rw-r--r--  root root user_u:object_r:var_lib_t:s0     
>>> /var/lib/chef/etc/ntp.conf.chef-20111222165615
>>> {code}
>>> 
>>> Okay, no problem.  I'll just add the file context like I did with Puppet:
>>> 
>>> {code}
>>>    seluser => "user_u",
>>>    selrole => "object_r",
>>>    seltype => "var_lib_t",
>>> {code}
>>> 
>>> Oh, but wait, it seems there's no such support in Chef.  Is that so?  All 
>>> I can find are various open tickets such as:
>>> http://tickets.opscode.com/browse/COOK-759
>>> http://tickets.opscode.com/browse/COOK-347
>>> http://tickets.opscode.com/browse/CHEF-1890
>>> 
>>> The current cookbook says only this, "users are recommended to set 
>>> SELinux to permissive mode, or disabled completely."
>>> 
>>> I'm surprised and disappointed that this is the case.  Is there really no 
>>> one using SeLinux under Chef?  Or is there a secret I'm not yet in on?
>>> 
>>> Thanks,
>>> 
>>> Peter
>>> 
>>> 
>>> --
>>> Peter Burkholder | Sr. System Administrator (consultant)
>>> AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 
>>> 20049
>>> 
 
>>>  | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
>>>  For optimal efficiency, I check email at 2-hour intervals during the 
>>> workday
>>>  (except when on-call). Please use IM or phone to contact me for urgent 
>>> matters
>>> 
>> 
>> 
>> 
>> --
>> Opscode, Inc
>> Joshua Timberman, Technical Program Manager
>> IRC, Skype, Twitter, Github: jtimberman

--
Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049

 
 | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
 For optimal efficiency, I check email at 2-hour intervals during the workday
 (except when on-call). Please use IM or phone to contact me for urgent 
matters