I have experience running CFEngine on CentOS 5 with SELinux enabled.
There is some noise in the audit logs, but otherwise I haven't had any
issues. I have a policy written to add and load SELinux modules on
the fly, they are in my examples collection in the CFEngine Design
Center. Otherwise I call "setsebool" as a commands type promise to
set SELinux booleans.
Best,
Aleksey
On 8/14/12, Trond Hasle Amundsen <t.h.amund...@usit.uio.no> wrote:
> no-re...@cfengine.com writes:
>
>> What is the experience with Cfengine and systems running SELinux?
>
> We're running CFEngine on lots of RHEL6 systems, all of which are
> running with SELinux in Enforcing mode. Our experience is good, but
> there are caveats wrt. file labels. When editing a file, the SELinux
> label can be messed up. You also need to make sure that the daemon
> processes (cf-execd etc.) are running in an unconfined domain. If they
> are running in the 'initrc_t' domain, they are unconfined.
>
>> Currently we are in the process of deploying Cfengine on RedHat 6
>> systems. For the obvious reasons we want to keep SELinux enabled and
>> enforced on all our RedHat 6 systems.
>
> Glad to hear that you're doing the Right Thing :)
>
>> Cfengine runs fine on the RedHat6 systems tough is given us some
>> troubles with security contexts. I've tried compiling Cfengine with
>> the --enable-selinux option but that does not seem work. All the
>> files and directories that are controlled with Cfengine and where the
>> security context changes are now restored with:
>> restorecon -R ${edited_dir}
>> It works but is not the most ideal situation.
>
> This is also how we do things. For edited files, set an if_repaired
> class and run restorecon on the file. It seems unnecessary but it isn't
> a big deal in my opinion.
>
>> I saw that there is a feature request for SELinux context support but
>> there has been no useful response on that:
>> https://cfengine.com/bugtracker/view.php?id=663
>>
>> Should the --enable-selinux compile option fix my issue and am I doing
>> something wrong? Or is there no support for selinux security
>> contexts?
>
> To be honest I don't know what '--enable-selinux' is supposed to do,
> other than linking to libselinux. For now, we're content with running
> restorecon on repaired files.
>
> Cheers,
> --
> Trond Hasle Amundsen <t.h.amund...@usit.uio.no>
> Gruppe for basis systemdrift (BSD), SAPP, USIT
> Tel. +47 22840058 (office)
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
>
--
Upcoming Trainings:
"Editing with vi" 31 Aug 2012 at LinuxCon North America in San Diego, CA (
http://lcna2012.sched.org/speaker/alekseytsalolikhin)
"Time Management for System Administrators" 28 Sep 2012 at Ohio Linux Fest (
http://ohiolinux.org/register)
"Editing with vi" 28 Sep 2012 at Ohio Linux Fest (
http://ohiolinux.org/register)
"Automating System Administration with CFEngine 3" 22-25 Oct 2012 in Palo
Alto, CA (http://www.eventbrite.com/event/3388161081)
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
