no-re...@cfengine.com writes:
> What is the experience with Cfengine and systems running SELinux?
We're running CFEngine on lots of RHEL6 systems, all of which are
running with SELinux in Enforcing mode. Our experience is good, but
there are caveats wrt. file labels. When editing a file, the SELinux
label can be messed up. You also need to make sure that the daemon
processes (cf-execd etc.) are running in an unconfined domain. If they
are running in the 'initrc_t' domain, they are unconfined.
> Currently we are in the process of deploying Cfengine on RedHat 6
> systems. For the obvious reasons we want to keep SELinux enabled and
> enforced on all our RedHat 6 systems.
Glad to hear that you're doing the Right Thing :)
> Cfengine runs fine on the RedHat6 systems tough is given us some
> troubles with security contexts. I've tried compiling Cfengine with
> the --enable-selinux option but that does not seem work. All the
> files and directories that are controlled with Cfengine and where the
> security context changes are now restored with:
> restorecon -R ${edited_dir}
> It works but is not the most ideal situation.
This is also how we do things. For edited files, set an if_repaired
class and run restorecon on the file. It seems unnecessary but it isn't
a big deal in my opinion.
> I saw that there is a feature request for SELinux context support but
> there has been no useful response on that:
> https://cfengine.com/bugtracker/view.php?id=663
>
> Should the --enable-selinux compile option fix my issue and am I doing
> something wrong? Or is there no support for selinux security
> contexts?
To be honest I don't know what '--enable-selinux' is supposed to do,
other than linking to libselinux. For now, we're content with running
restorecon on repaired files.
Cheers,
--
Trond Hasle Amundsen <t.h.amund...@usit.uio.no>
Gruppe for basis systemdrift (BSD), SAPP, USIT
Tel. +47 22840058 (office)
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
