-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux_policy_module installation disallowed if selinux is disabled #152
Comments
Actually this may be a misreading on my part of what allow_disabled means. Edit: It does seem like setting |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
👻 Brief Description
Currently it is not possible to compile policy modules if selinux is disabled (even if it is enabled in selinux config and the server simply hasn't been rebooted yet). This is problematic because it requires booting into permissive or enforcing mode and then re-running chef-client to compile the module. Between boot and chef-client completion audit logs could be spammed with avc denials and system functionality could be impaired. I am not yet aware of a technical reason that a policy module can't be compiled while selinux is disabled.
🥞 Cookbook version
2.4.3
👩🍳 Chef-Infra Version
Chef Infra Client: 16.16.13
🎩 Platform details
Oracle Enterprise Linux 6/7
Steps To Reproduce
Steps to reproduce the behavior:
Invoke selinux policy module in recipe while selinux has not been set to permissive/enforcing via rebooting after updating selinux config file to permissive/enforcing.
🚓 Expected behavior
It would be nice if there were a module property that could be passed to the use_selinux helper that would allow it to return true even when selinux is disabled. I tested this on a forked version of the cookbook and it seemed to work as expected. However I am aware that there may be some other reason this is designed in this way to not allow module compilation.
The text was updated successfully, but these errors were encountered: