I'll snip the feedback (and thanks so much for that), and reframe the
question in terms of "What would you do?" when you see your options as
the following:
1) Set SELinux to 'permissive' instead of 'enforcing'
* Not really and option here, as we've been running RHEL with SELinux
in enforcing mode for at least four years, and we tout it as being
part of our defense-in-depth strategy
2) Abandon Chef try again with Puppet as our configuration management system
[This section is not open for comments]
3) Use/Adapt Chef to provide the SELInux support we need:
3.1) Wait until the project provides selinux file context in the file
resource
3.2) Add the patches to provide this, either doing so myself or
paying someone to do so.
-- I don't know if we have the budget to do this
-- I don't know if I have the time, with my rusty Ruby skills, to do
this very well myself
3.3) Work around the lack of SELinux support by using Ruby or Shell
blocks in the code to set file context appropriately, even if it's not
done idempotently.
Clearly, 3.2 is _right_ answer, but even that is fraught, as then
we'd be using our own build of Chef until the new code is pulled into
the project.
Any further thoughts out there?
-Peter
--
Peter Burkholder | Sr. System Administrator (consultant)
AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 20049
| aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
For optimal efficiency, I check email at 2-hour intervals during the workday
(except when on-call). Please use IM or phone to contact me for
urgent matters
Archive powered by MHonArc 2.6.16.