-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
err: //cobbler::web/Selboolean[httpd_can_network_connect]: Failed to
retrieve current state of resource: Execution of ''/usr/sbin/getsebool
httpd_can_network_connect'' returned 1: /usr/sbin/getsebool: SELinux is
disabled
Is this behaviour intentional ? I mean, with selinux disabled it does
not make sense to call getsebool or setsebool. For what I want to
achieve (httpd can network connect) a disabled selinux is as good as
setsebool.
I wonder how to workaround this error. I tried the following, but this
does not work. I believe that selboolean does not support refreshing.
exec { "selinuxenabled":
command => "/bin/true",
onlyif => "/usr/sbin/selinuxenabled",
}
selboolean { "httpd_can_network_connect":
value => on,
subscribe => Exec["selinuxenabled"],
}
- --
best regards,
markus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwtQYMACgkQYoWFBIJE9eXjZwCeKmw8YhW3JzlD9FH33OYsaMkR
BewAoIf8F/ChGvoLYsWivEoxsC0qaJ/Z
=+DKT
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On 7/1/2010 9:31 PM, Markus Falb wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > err: //cobbler::web/Selboolean[httpd_can_network_connect]: Failed to > retrieve current state of resource: Execution of ''/usr/sbin/getsebool > httpd_can_network_connect'' returned 1: /usr/sbin/getsebool: SELinux is > disabledThe simplest way would probably be to make that chunk of the manifest conditional on the selinux facts: [root@jms ~]# facter -p | grep sel selinux => true selinux_enforced => false selinux_mode => targeted selinux_policyversion => 21 -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jul 1, 2010, at 6:31 PM, Markus Falb wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > err: //cobbler::web/Selboolean[httpd_can_network_connect]: Failed to > retrieve current state of resource: Execution of ''/usr/sbin/getsebool > httpd_can_network_connect'' returned 1: /usr/sbin/getsebool: SELinux is > disabled > > > Is this behaviour intentional ? I mean, with selinux disabled it does > not make sense to call getsebool or setsebool. For what I want to > achieve (httpd can network connect) a disabled selinux is as good as > setsebool.That isn''t quite true because if SELinux is ever re-enabled it might give the admin a nasty surprise if he thought the policies were actually set. I don''t have anything else to say because everything else I was going to say is covered better by Frank''s email. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/07/2010 05:20, Patrick Mohr wrote:> > On Jul 1, 2010, at 6:31 PM, Markus Falb wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi, >> >> err: //cobbler::web/Selboolean[httpd_can_network_connect]: Failed to >> retrieve current state of resource: Execution of ''/usr/sbin/getsebool >> httpd_can_network_connect'' returned 1: /usr/sbin/getsebool: SELinux is >> disabled >> >> >> Is this behaviour intentional ? I mean, with selinux disabled it does >> not make sense to call getsebool or setsebool. For what I want to >> achieve (httpd can network connect) a disabled selinux is as good as >> setsebool. > > That isn''t quite true because if SELinux is ever re-enabled it might give the admin a nasty surprise if he thought the policies were actually set.Correct, of course. Or do not play with such things on production machines. Or manage selinux permissive/enforcing/disabled through puppet as well as things like httpd can network connect.> I don''t have anything else to say because everything else I was going to say is covered better by Frank''s email. >thanks to Frank. thanks to you too, Patrick. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwuLGcACgkQYoWFBIJE9eV33wCfcnuLzlYtP9qK0nk7CsLD2mAD 0NQAn0ISyhatHFmZw6iq8R6kS3mD2ToK =ITuS -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.