[chef] Re: Re: Re: Re: SELinux - not supported?

[Sean OMeara < >]

No RSpec yet... It's just a first attempt at raw functionality.

Also, the libselinux-ruby binding from system packages will only work
if you're a system ruby. If you're running in RVM or omnibus you'll
need to compile the library against the appropriate ruby libs.

-s

On Fri, Dec 23, 2011 at 12:30 PM, Burkholder, Peter
<
 >
 wrote:
> Thanks for the patch, Sean.  I'll give this a try and see what happens.
>
> Is there any attendant RSpec or other test code that goes with this?
>
> Thanks,
>
> Peter
> On Dec 23, 2011, at 12:07 PM, Sean OMeara wrote:
>
>> Hi Peter,
>> I have experimental SELinux monkey patches for File and Directory
>> resources here:
>> https://github.com/someara/cookbooks/tree/selinux-monkeys
>> It tries to guess sane defaults by examining the default context for
>> the directory a file would be written to, and provides a way to
>> override it via the selinux_label attribute. Right now you have to
>> pass the whole label in as a text string instead of in parts.
>> Please feel free to test them!
>> Note that you'll need to install libselinux-ruby as a system
>> prerequisite before running Chef, since there's no way to get the
>> package installed via Chef because of the order Chef loads code.
>> -s
>> On Fri, Dec 23, 2011 at 11:22 AM, Joshua Timberman 
>> <
 >
>>  wrote:
>>> Ohai Chefs!
>>>
>>> We have an issue at tickets.opscode.com for this topic:
>>>
>>> http://tickets.opscode.com/browse/COOK-759
>>>
>>> This ticket covers:
>>>
>>> * Setting enforcing/permissive/disabled based on an attribute
>>> * Installing selinux Ruby library bindings
>>> * Managing security contexts for Chef resources.
>>>
>>> These features should be added to our existing "selinux" cookbook,
>>> which currently only had recipes that set the local policy to
>>> enforcing, permissive or disabled, respectively.
>>>
>>>
>>> On Thu, Dec 22, 2011 at 3:33 PM, Burkholder, Peter 
>>> <
 >
>>>  wrote:
>>>> Hi Chef Users:
>>>>
>>>> My initial NTP cookbook failed on a fresh RHEL 5.7 install because the 
>>>> new config file had the wrong selinux context.
>>>>
>>>> {code}
>>>> $ ls -Z /var/lib/chef/etc/ntp.conf.chef-20111222165615 /etc/ntp.conf
>>>> -rw-r--r--  root root user_u:object_r:tmp_t:s0         /etc/ntp.conf
>>>> -rw-r--r--  root root user_u:object_r:var_lib_t:s0     
>>>> /var/lib/chef/etc/ntp.conf.chef-20111222165615
>>>> {code}
>>>>
>>>> Okay, no problem.  I'll just add the file context like I did with Puppet:
>>>>
>>>> {code}
>>>>    seluser => "user_u",
>>>>    selrole => "object_r",
>>>>    seltype => "var_lib_t",
>>>> {code}
>>>>
>>>> Oh, but wait, it seems there's no such support in Chef.  Is that so?  
>>>> All I can find are various open tickets such as:
>>>> http://tickets.opscode.com/browse/COOK-759
>>>> http://tickets.opscode.com/browse/COOK-347
>>>> http://tickets.opscode.com/browse/CHEF-1890
>>>>
>>>> The current cookbook says only this, "users are recommended to set 
>>>> SELinux to permissive mode, or disabled completely."
>>>>
>>>> I'm surprised and disappointed that this is the case.  Is there really 
>>>> no one using SeLinux under Chef?  Or is there a secret I'm not yet in on?
>>>>
>>>> Thanks,
>>>>
>>>> Peter
>>>>
>>>>
>>>> --
>>>> Peter Burkholder | Sr. System Administrator (consultant)
>>>> AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 
>>>> 20049
>>>> 
 
>>>>  | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
>>>>  For optimal efficiency, I check email at 2-hour intervals during the 
>>>> workday
>>>>  (except when on-call). Please use IM or phone to contact me for urgent 
>>>> matters
>>>>
>>>
>>>
>>>
>>> --
>>> Opscode, Inc
>>> Joshua Timberman, Technical Program Manager
>>> IRC, Skype, Twitter, Github: jtimberman
>
> --
> Peter Burkholder | Sr. System Administrator (consultant)
> AARP | Digital Strategy & Operations | 601 E Street NW | Washington, DC 
> 20049
> 
 
>  | aim: peterbtech | w: 202-434-3530 | c: 202-344-7129
>  For optimal efficiency, I check email at 2-hour intervals during the 
> workday
>  (except when on-call). Please use IM or phone to contact me for urgent 
> matters
>