Puppet users - Jan 2009 - libselinux ruby bindings

Hello,

Any idea how to get these ruby bindings installed on machines other than
fedora >= 10 ? It seems to be required for using selinux with puppet 0.24.7.

Thanks !
Marc



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi
> Any idea how to get these ruby bindings installed on machines other than
> fedora >= 10 ? It seems to be required for using selinux with puppet
0.24.7.
repackage it from the srpm? didn''t do that yet, however i''ll
have to
do it for centos some time. so would be nice if you can inform about  
any success.

cheers pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> > Any idea how to get these ruby bindings installed on machines other
> > than fedora >= 10 ? It seems to be required for using selinux with
> > puppet 0.24.7.
> 
> repackage it from the srpm? didn''t do that yet, however
i''ll have to
> do it for centos some time. so would be nice if you can inform about  
> any success.
I''ve been this way. It appears this ruby binding is part of libselinux.
It
is generated with swig. {Centos,Redhat} 5.x ship with libselinux 1.33.4.
Fedora 10 comes with 2.0.73.

The API has changed between both versions. So a regular repackaging would
be difficult (things like pam, sysvinit and coreutils depend on it).

This leaves us with an interesting packaging challenge ;)

It seems to me the way to go would be to have a swig specialist do magic
things with the source version of libselinux-1.33.4.rpm. Can anyone help
with that ?

Marc




--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Marc Fournier wrote:
> I''ve been this way. It appears this ruby binding is part of
> libselinux. It is generated with swig. {Centos,Redhat} 5.x ship with
> libselinux 1.33.4.  Fedora 10 comes with 2.0.73.
>
> The API has changed between both versions. So a regular repackaging
> would be difficult (things like pam, sysvinit and coreutils depend
> on it).
>
> This leaves us with an interesting packaging challenge ;)
>
> It seems to me the way to go would be to have a swig specialist do
> magic things with the source version of libselinux-1.33.4.rpm. Can
> anyone help with that ?
The Fedora Infrastructure folks are keen to use the SELinux support
and have a mix of Fedora and RHEL boxes.  And some of them happen to
sit in the same offices as Dan Walsh, the libselinux maintainer for
Fedora and RHEL.  I believe that they''re inquiring about enabling the
ruby bindings for RHEL.

So patience might be all that it takes.  (Failing that, patching
puppet to use the old, slower stat and matchpathcon calls would
probably be far easier than updating libselinux on RHEL.)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
He was busy creating hell for people who ask such questions.
    -- St. Augustin, in reply to "What was God doing before creation?

> The Fedora Infrastructure folks are keen to use the SELinux support
> and have a mix of Fedora and RHEL boxes.  And some of them happen to
> sit in the same offices as Dan Walsh, the libselinux maintainer for
> Fedora and RHEL.  I believe that they''re inquiring about enabling
the
> ruby bindings for RHEL.
Ok, good to know !
> So patience might be all that it takes.  (Failing that, patching
> puppet to use the old, slower stat and matchpathcon calls would
> probably be far easier than updating libselinux on RHEL.)
Apparently just downgrading the following files from 0.24.7 to 0.24.6
is sufficient to get selinux to work again on redhat/centos 5:

lib/puppet/type/file/selcontext.rb
lib/puppet/util/selinux.rb

Marc



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I''ve just been really really badly bitten by the use of the ruby
selinux bindings, see
http://projects.reductivelabs.com/issues/show/1852

The effect of the silent failure when the ruby SELinux bindings are
not installed is horrific. In short, every run of puppetd triggers a
refresh of everything. To add insult to injury, the ruby SELinux
bindings are not even available for my platform and it''s not clear
when/if they ever will be. See my comment in the bug report for a more
detailed explanation.

I know it''s really rude to complain about software that kind people
make available for free, but seriously guys, RHEL and its variants
(CentOS, Scientific Linux) are very popular distributions, especially
for people who don''t like things breaking too often :-) What were you
thinking when you knowingly broke puppet on them?

Rant over. At least I can still use puppet to install Marc Fournier''s
work-around. Thanks Marc!
--
Tom

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2009/1/21 twpayne <twpayne@gmail.com>:
> ... the ruby SELinux
> bindings are not even available for my platform and it''s not clear
> when/if they ever will be.
Further to my rant a couple of days ago, I''ve created a minimal set of
SELinux bindings which are sufficient for puppet.  The software is at:
  http://github.com/twpayne/libselinux-ruby-puppet
and it includes a spec file so you can build an RPM.

I''ve tested them lightly on CentOS 5.2 and they seem to work.

Regards,
-- 
Tom

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---