Ask Your Question
0

Why is selinux fact different for puppet then for facter?

asked 2015-04-12 01:56:14 -0500

Krist van Besien gravatar image

updated 2015-05-07 00:27:57 -0500

I want to set a selinux boolean, but want to make it conditional on selinux being enabled, to avoid errors on hosts were it isn't.

There is a fact that is true of false depending on the selinux state:

[root@monaghan ~]# facter -p selinux
true

So I used the following code:

if str2bool("${::selinux}") {
    selboolean { 'rsync_export_all_ro':
      value      => 'on',
      persistent => true
    }
  }

However this does not work. I get the following error:

 Error 400 on SERVER: str2bool(): Unknown type of boolean given

From the str2bool source I deduced that this error is thrown when a string is passed that does not match any of the true or false patterns in the function.

So I added a line to see what the value for "selinux" really was:

notify { "The value of selinux is ${::selinux}":}

And got this output:

Notice: The value of selinux is enforcing

This explains why my code wasn't working. So I could fix it by using a different test.

if $::selinux == 'enforcing'  {
    selboolean { 'rsync_export_all_ro':
      value      => 'on',
      persistent => true
    }
  }

This works....

However, why is a different value being passed to puppet for this fact then the value I see when running facter? This is unexpected behaviour, and makes writing code harder, if one must devine fact values through trial and error...

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
1

answered 2016-06-22 12:03:32 -0500

alexjfisher gravatar image

Hi Krist

Are you sure it's not your ENC (foreman perhaps) that's overriding the value of 'selinux'? See https://github.com/theforeman/communi...

edit flag offensive delete link more
1

answered 2015-04-13 00:19:33 -0500

GregLarkin gravatar image

Hi Krist, I wonder if the selinux_enforced fact would suit your purpose better? Have a look here, and it appears that it will only have a true or false value depending on the whether SELinux is enabled or not:

https://docs.puppetlabs.com/facter/2.2/core_facts.html#selinuxenforced

edit flag offensive delete link more

Comments

I have indeed since found another fact I can use. However it remains that "facter" should produce output that is relevant. Using facts in puppet code becomes quite hard if on can't rely on facter to produce correct output.

Krist van Besien gravatar imageKrist van Besien ( 2015-04-13 04:56:38 -0500 )edit

Hi Krist, you will find this page very useful, because it documents the core facts available to you, as well as possible values for those facts. You shouldn't have to experiment as much to figure out the valid values: https://docs.puppetlabs.com/facter/2.2/core_facts.html

GregLarkin gravatar imageGregLarkin ( 2015-04-13 11:35:35 -0500 )edit

Ensure /etc/sysconfig/selinux exists and is a symlink to /etc/selinux/config (at least on RHEL). I ran into a similar issue and discovered that the symlink was missing. 'rpm -V selinux-policy' didn't catch the missing symlink.

bschonecker gravatar imagebschonecker ( 2016-06-22 15:37:00 -0500 )edit
0

answered 2015-04-13 11:59:39 -0500

MichaelSmith gravatar image

I wasn't able to reproduce the behavior, and in general Puppet shouldn't be rewriting facts. This could take a little debugging; can you be more specific about what OS and Puppet/Facter versions you're using?

My own testing:

[root@n5zzcyfwyuy3s97 ~]# facter os
{"name"=>"CentOS", "family"=>"RedHat", "release"=>{"major"=>"7", "minor"=>"0", "full"=>"7.0.1406"}}
[root@n5zzcyfwyuy3s97 ~]# facter --version
2.4.3
[root@n5zzcyfwyuy3s97 ~]# puppet --version
3.7.5
[root@n5zzcyfwyuy3s97 ~]# facter -p selinux
true
[root@n5zzcyfwyuy3s97 ~]# puppet apply -e 'notify { "The value of selinux is ${::selinux}":}'
Notice: Compiled catalog for n5zzcyfwyuy3s97 in environment production in 0.01 seconds
Notice: The value of selinux is true
Notice: /Stage[main]/Main/Notify[The value of selinux is true]/message: defined 'message' as 'The value of selinux is true'
Notice: Finished catalog run in 0.01 seconds
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-04-12 01:56:14 -0500

Seen: 674 times

Last updated: Jun 22 '16