chef - [chef] Re: Re: Community cookbook & SELinux Configuration

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Community cookbook & SELinux Configuration

From: Greg Barker < >
To: " " < >
Subject: [chef] Re: Re: Community cookbook & SELinux Configuration
Date: Wed, 14 Jan 2015 20:31:33 -0800

Hmmm, I'm actually using the CentOS 6.6 bento box. It looks like SELinux is supposed to be permissive?

I just tried with a simple Vagrantfile:

Vagrant.configure("2") do |config|
config.vm.box = "opscode-centos-6.6"
config.vm.box_url = "http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.6_chef-provisionerless.box"
end

Is this what I'm supposed to be seeing with that box?

$ vagrant up

$ vagrant ssh
~]$ getenforce
Enforcing
~]$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

On Wed, Jan 14, 2015 at 7:52 PM, Julian C. Dunn < " target="_blank"> > wrote:

On Wed, Jan 14, 2015 at 6:38 PM, Greg Barker < " target="_blank"> > wrote:
> What's the appropriate way to handle SELinux configuration for a Vagrantfile
> or .kitchen.yml that ships with a community cookbook?
>
> I updated the nexus cookbook to use a new base box in the Vagrantfile and
> now it will fail if you have recipe[nginx] on the run list, because the new
> base box has SELinux enabled.
>
> Is there a way to require the selinux cookbook as a dependency but only for
> Vagrant & Test Kitchen? I was thinking of using that to just disable SELinux
> but I wouldn't want it to be a mandatory dependency for everyone.

My personal opinion (as one of the maintainers of the bento project)
is to just use baseboxes that have SELinux in a permissive state
(enabled but not enforcing). That gives the greatest flexibility
whilst testing.

- Julian

--
[ Julian C. Dunn < " target="_blank"> > * Sorry, I'm ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]

[chef] Community cookbook & SELinux Configuration, Greg Barker, 01/14/2015
- [chef] Re: Community cookbook & SELinux Configuration, Julian C. Dunn, 01/14/2015
  - [chef] Re: Re: Community cookbook & SELinux Configuration, Greg Barker, 01/14/2015
    - [chef] Re: Re: Re: Community cookbook & SELinux Configuration, Julian C. Dunn, 01/14/2015
      - [chef] Re: Re: Re: Re: Community cookbook & SELinux Configuration, Greg Barker, 01/15/2015
        
        [chef] Re: Re: Re: Re: Re: Community cookbook & SELinux Configuration, Sean OMeara, 01/15/2015
- [chef] RE: Community cookbook & SELinux Configuration, Kevin Keane Subscription, 01/15/2015