-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux in this role? #1
Comments
Interesting, that's not something I had to do. Maybe selinux wasn't enabled on my system to start, though? Does changing that setting require a reboot? |
I didn't reboot, just did 'sudo setenforce permissive'. Now I have alerts that aren't actually enforced: The source process: /usr/libexec/qemu-kvm Attempted this access: read On this file: test1-worker-0-tc24r.ignition and similarly for test1-master.ign and test1-bootstrap.ign Also The source process: systemd-machined Attempted this access: getattr On this file: /proc//cgroupand similarly for machined attempting to search directory 5193 I'm running the install as user tbarron who belongs to groups wheel, qemu, libvirt, and docker. |
It may well be something about my CentOS install that's triggering this -- similar perhaps to dmacvicar/terraform-provider-libvirt#142 (comment) |
I'm not sure I want the role to just set the mode to permissive because if someone isn't paying close attention they might not notice. How about if we check the mode and fail if it isn't set permissive, with a message that they need to make that security-related change themselves? |
That seems like a good idea if this isn't something idiosyncratic to my environment. Maybe the message should just suggest making the change if selinux prevents the install from succeeding. Presumably someday that will no longer be a problem :) |
I think my selinux labels were screwed up in my default libvirt pool, so probably never mind on this one. Sorry for the noise. |
On CentOS 7 I had to 'setenforce permissive' to get the installer to work. Should there be a task to do that as part of this role?
The text was updated successfully, but these errors were encountered: