CentOS - Apr 2016 - selinux getsebool request

On 04/12/2016 02:31 PM, James Hogarth wrote:
> For example:
>
> unless => "/usr/sbin/getsebool httpd_can_network_connect |
/usr/bin/grep on
> &> /dev/null"
D'oh! That's what I get for overcomplicating the whole darn thing.
:)
>
> Incidentally one nice trick if you're dealing with potentially changing
> multiple booleans and the policy compile time is to either skip -P and
> understand it's not persistent so puppet needs to fix at boot, or
passing
> multiple booleans to setsebool at the same time so the compile only happens
> once.
Huh. Stacking setsebool has a lot of potential. I should add remedial
man-page reading to my list of tasks.

I'm of the camp that systems should come up in a ready state, regardless
of the immediate availability of puppet. So, using puppet to push
SELinux changes without committing to on-disk policy alarms me.

Thanks for the ideas!

On Tue, 12 Apr 2016, John Jasen wrote:
> On 04/12/2016 02:31 PM, James Hogarth wrote:
>> For example:
>>
>> unless => "/usr/sbin/getsebool httpd_can_network_connect |
/usr/bin/grep on
>> &> /dev/null"
>
> D'oh! That's what I get for overcomplicating the whole darn thing.
:)
>>
>> Incidentally one nice trick if you're dealing with potentially
changing
>> multiple booleans and the policy compile time is to either skip -P and
>> understand it's not persistent so puppet needs to fix at boot, or
passing
>> multiple booleans to setsebool at the same time so the compile only
happens
>> once.
>
> Huh. Stacking setsebool has a lot of potential. I should add remedial
> man-page reading to my list of tasks.
>
> I'm of the camp that systems should come up in a ready state,
regardless
> of the immediate availability of puppet. So, using puppet to push
> SELinux changes without committing to on-disk policy alarms me.
I'm not sure I entirely understand this discussion.  Isn't this what
puppet
does by default with selboolean?

# puppet resource selboolean httpd_can_network_connect value=on persistent=true
--debug
Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0,
run_mode=user, default_encoding=UTF-8
Debug: Loaded state in 0.15 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving
value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Enabling
persistence
Debug: Executing '/usr/sbin/setsebool -P httpd_can_network_connect on'
Notice: /Selboolean[httpd_can_network_connect]/value: value changed
'off' to 'on'
Debug: Finishing transaction 19351060
Debug: Storing state
Debug: Stored state in 0.20 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving
value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
selboolean { 'httpd_can_network_connect':
   value => 'on',
}

Here you see it checking the value, deciding it's wrong, then setting it.

# puppet resource selboolean httpd_can_network_connect value=on persistent=true
--debug
Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0,
run_mode=user, default_encoding=UTF-8
Debug: Loaded state in 0.15 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving
value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
Debug: Finishing transaction 18309580
Debug: Storing state
Debug: Stored state in 0.18 seconds
Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool): Retrieving
value of selboolean httpd_can_network_connect
Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
selboolean { 'httpd_can_network_connect':
   value => 'on',
}

Here it checks it, then leaves it alone as it's correct.

What am I missing?

jh

On 13 April 2016 at 09:50, John Hodrien <J.H.Hodrien at leeds.ac.uk>
wrote:
> On Tue, 12 Apr 2016, John Jasen wrote:
>
> On 04/12/2016 02:31 PM, James Hogarth wrote:
>>
>>> For example:
>>>
>>> unless => "/usr/sbin/getsebool httpd_can_network_connect |
/usr/bin/grep
>>> on
>>> &> /dev/null"
>>>
>>
>> D'oh! That's what I get for overcomplicating the whole darn
thing. :)
>>
>>>
>>> Incidentally one nice trick if you're dealing with potentially
changing
>>> multiple booleans and the policy compile time is to either skip -P
and
>>> understand it's not persistent so puppet needs to fix at boot,
or passing
>>> multiple booleans to setsebool at the same time so the compile only
>>> happens
>>> once.
>>>
>>
>> Huh. Stacking setsebool has a lot of potential. I should add remedial
>> man-page reading to my list of tasks.
>>
>> I'm of the camp that systems should come up in a ready state,
regardless
>> of the immediate availability of puppet. So, using puppet to push
>> SELinux changes without committing to on-disk policy alarms me.
>>
>
> I'm not sure I entirely understand this discussion.  Isn't this
what puppet
> does by default with selboolean?
>
> # puppet resource selboolean httpd_can_network_connect value=on
> persistent=true --debug
> Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0,
> run_mode=user, default_encoding=UTF-8
> Debug: Loaded state in 0.15 seconds
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Retrieving value of selboolean httpd_can_network_connect
> Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Enabling persistence
> Debug: Executing '/usr/sbin/setsebool -P httpd_can_network_connect
on'
> Notice: /Selboolean[httpd_can_network_connect]/value: value changed
'off'
> to 'on'
> Debug: Finishing transaction 19351060
> Debug: Storing state
> Debug: Stored state in 0.20 seconds
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Retrieving value of selboolean httpd_can_network_connect
> Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
> selboolean { 'httpd_can_network_connect':
>   value => 'on',
> }
>
> Here you see it checking the value, deciding it's wrong, then setting
it.
>
> # puppet resource selboolean httpd_can_network_connect value=on
> persistent=true --debug
> Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0,
> run_mode=user, default_encoding=UTF-8
> Debug: Loaded state in 0.15 seconds
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Retrieving value of selboolean httpd_can_network_connect
> Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
> Debug: Finishing transaction 18309580
> Debug: Storing state
> Debug: Stored state in 0.18 seconds
> Debug: Selboolean[httpd_can_network_connect](provider=getsetsebool):
> Retrieving value of selboolean httpd_can_network_connect
> Debug: Executing '/usr/sbin/getsebool httpd_can_network_connect'
> selboolean { 'httpd_can_network_connect':
>   value => 'on',
> }
>
> Here it checks it, then leaves it alone as it's correct.
>
> What am I missing?
>
>
>
Nothing haha ... been awhile since I used puppet now (and last job where I
did had a policy of not enforcing selinux anyway)  ...

You are indeed correct that resource type is the better way to handle this
- totally forgot it existed.

re: puppet selboolean

And ... a double d'oh! for the day. That's just what I was looking for!

Thanks for pointing it out!