selinux_policy_module installation disallowed if selinux is disabled

[urgency]

👻 Brief Description

Currently it is not possible to compile policy modules if selinux is disabled (even if it is enabled in selinux config and the server simply hasn't been rebooted yet). This is problematic because it requires booting into permissive or enforcing mode and then re-running chef-client to compile the module. Between boot and chef-client completion audit logs could be spammed with avc denials and system functionality could be impaired. I am not yet aware of a technical reason that a policy module can't be compiled while selinux is disabled.

🥞 Cookbook version

2.4.3

👩‍🍳 Chef-Infra Version

Chef Infra Client: 16.16.13

🎩 Platform details

Oracle Enterprise Linux 6/7

Steps To Reproduce

Steps to reproduce the behavior:

Invoke selinux policy module in recipe while selinux has not been set to permissive/enforcing via rebooting after updating selinux config file to permissive/enforcing.

🚓 Expected behavior

It would be nice if there were a module property that could be passed to the use_selinux helper that would allow it to return true even when selinux is disabled. I tested this on a forked version of the cookbook and it seemed to work as expected. However I am aware that there may be some other reason this is designed in this way to not allow module compilation.

[urgency]

Actually this may be a misreading on my part of what allow_disabled means.

Edit: It does seem like setting allow_disabled to false gives me the behavior I want. But I am confused by the property name and some of the comments in the helpers file. I'm closing this.