Puppet users - Jan 2012 - Best practice for SELinux overrides

I manage quite a few CentOS 6 servers with puppet, and I want to start 
using puppet-selinux[1] to enable/disable it.

My "common" node class, inherited by all servers, should say that all 
servers run SELinux in enforcing mode. But on one or two servers I want 
to run in permissive mode for various reasons.

Am I right in thinking that doing the following will cause a conflict, 
as selinux is applied twice? Is there a better way of achieving this?


class common {
   include selinux(enforcing)
   ...
   ...
}

node server1 {
   include common
}

node server2 {
   include common
   include selinux(permissive)
}


Thanks,
Jonathan

[1] https://github.com/jfryman/puppet-selinux

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I realise I''ve b0rked the syntax. I meant this:


class common {
   class { selinux: mode => enforcing }
   ...
   ...
}

node server1 {
   include common
}

node server2 {
   include common
   class { selinux: mode => permissive }
}



I''m trying to achieve that all servers have SELinux in enforcing by 
default, unless explicitly specified otherwise. Is this possible?

Thanks,
Jonathan


On 06/01/12 09:38, Jonathan Gazeley wrote:
> I manage quite a few CentOS 6 servers with puppet, and I want to start
> using puppet-selinux[1] to enable/disable it.
>
> My "common" node class, inherited by all servers, should say that
all
> servers run SELinux in enforcing mode. But on one or two servers I want
> to run in permissive mode for various reasons.
>
> Am I right in thinking that doing the following will cause a conflict,
> as selinux is applied twice? Is there a better way of achieving this?
>
>
> class common {
> include selinux(enforcing)
> ...
> ...
> }
>
> node server1 {
> include common
> }
>
> node server2 {
> include common
> include selinux(permissive)
> }
>
>
> Thanks,
> Jonathan
>
> [1] https://github.com/jfryman/puppet-selinux
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Jan 6, 6:23 am, Jonathan Gazeley <jonathan.gaze...@bristol.ac.uk>
wrote:
> I realise I''ve b0rked the syntax. I meant this:
>
> class common {
>    class { selinux: mode => enforcing }
>    ...
>    ...
>
> }
>
> node server1 {
>    include common
>
> }
>
> node server2 {
>    include common
>    class { selinux: mode => permissive }
>
> }
>
> I''m trying to achieve that all servers have SELinux in enforcing
by
> default, unless explicitly specified otherwise. Is this possible?
What you have written will not work, but this might:

class common {
   class { selinux: mode => enforcing }
}

class common::permissive inherits common {
  Class[''selinux''] {
    mode => permissive
  }
}

node server1 {
   include common
}

node server2 {
   include common # optional
   include common::permissive
}

If that doesn''t work as written, then you should be able to make it
work by wrapping the delarations of Class[''selinux''] in a
definition
taking the mode as a parameter, and then overriding the definition''s
parameter instead of directly overriding the class''s parameter.

Alternatively, this might be a good use case for external data: have
class common lookup the appropriate SELinux mode via extlookup() or
hiera instead of always setting it explicitly to ''enforcing''.

Either of those approaches is also compatible with putting "include
common" in a default node definition that other node definitions then
inherit; that is often what people want to do when they have settings
to apply to all servers by default.  Example:

node default {
   include common
}

node server2 inherits default {
   include common::permissive
}


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Two immediate possibilities come to mind:
(1) take selinux out of "common" and define it in each individual node
(2) define the exceptions to "selinux => enforcing" like in this: 
http://www.mail-archive.com/puppet-users@googlegroups.com/msg00697.html

“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

----- Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk>
wrote:
> I manage quite a few CentOS 6 servers with puppet, and I want to start 
> using puppet-selinux[1] to enable/disable it.
> 
> My "common" node class, inherited by all servers, should say that
all
> servers run SELinux in enforcing mode. But on one or two servers I want 
> to run in permissive mode for various reasons.
> 
> Am I right in thinking that doing the following will cause a conflict, 
> as selinux is applied twice? Is there a better way of achieving this?
> 
> 
> class common {
>    include selinux(enforcing)
>    ...
>    ...
> }
> 
> node server1 {
>    include common
> }
> 
> node server2 {
>    include common
>    include selinux(permissive)
> }
> 
> 
> Thanks,
> Jonathan
> 
> [1] https://github.com/jfryman/puppet-selinux
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

----- jcbollinger <John.Bollinger@stJude.org>
wrote:
> 
> 
> On Jan 6, 6:23 am, Jonathan Gazeley <jonathan.gaze...@bristol.ac.uk>
> wrote:
> > I realise I''ve b0rked the syntax. I meant this:
> >
> > class common {
> >    class { selinux: mode => enforcing }
> >    ...
> >    ...
> >
> > }
> >
> > node server1 {
> >    include common
> >
> > }
> >
> > node server2 {
> >    include common
> >    class { selinux: mode => permissive }
> >
> > }
> >
> > I''m trying to achieve that all servers have SELinux in
enforcing by
> > default, unless explicitly specified otherwise. Is this possible?
> 
> What you have written will not work, but this might:
> 
> class common {
>    class { selinux: mode => enforcing }
> }
> 
> class common::permissive inherits common {
>   Class[''selinux''] {
>     mode => permissive
>   }
> }
> 
> node server1 {
>    include common
> }
> 
> node server2 {
>    include common # optional
>    include common::permissive
> }
> 
> If that doesn''t work as written, then you should be able to make
it
> work by wrapping the delarations of Class[''selinux''] in a
definition
> taking the mode as a parameter, and then overriding the
definition''s
> parameter instead of directly overriding the class''s parameter.
> 
> Alternatively, this might be a good use case for external data: have
> class common lookup the appropriate SELinux mode via extlookup() or
> hiera instead of always setting it explicitly to
''enforcing''.
> 
> Either of those approaches is also compatible with putting "include
> common" in a default node definition that other node definitions then
> inherit; that is often what people want to do when they have settings
> to apply to all servers by default.  Example:
> 
> node default {
>    include common
> }
> 
> node server2 inherits default {
>    include common::permissive
> }
> 
> 
> John
> 
Or something like this:

class common {
   # totally remove selinux at this level
}

class common::se-enforcing inherits common {
   class { selinux: mode => enforcing }
}
 
class common::se-permissive inherits common {
   class { selinux: mode => permissive }
}

class common::se-disabled inherits common {
   class { selinux: mode => disabled }
}

node server1 {
   include common::se-enforcing
}

node server2 {
   include common::se-permissive
}

-- “Sometimes I think the surest sign that intelligent life exists elsewhere in
the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Or you could use a parametrized class to make things shorter and easier
to understand:

class common ( $selinux_mode = ''enforcing'' ) {
  class { selinux: mode => $selinux_mode }
}

node server1 {
  include common
}

node server2 {
  class { common: selinux_mode => ''permissive'' }
}

-- 
Gabriel Filion

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.