# Why is selinux fact different for puppet then for facter?

I want to set a selinux boolean, but want to make it conditional on selinux being enabled, to avoid errors on hosts were it isn't.

There is a fact that is true of false depending on the selinux state:

[root@monaghan ~]# facter -p selinux
true


So I used the following code:

if str2bool("${::selinux}") { selboolean { 'rsync_export_all_ro': value => 'on', persistent => true } }  However this does not work. I get the following error:  Error 400 on SERVER: str2bool(): Unknown type of boolean given  From the str2bool source I deduced that this error is thrown when a string is passed that does not match any of the true or false patterns in the function. So I added a line to see what the value for "selinux" really was: notify { "The value of selinux is${::selinux}":}


And got this output:

Notice: The value of selinux is enforcing


This explains why my code wasn't working. So I could fix it by using a different test.

if $::selinux == 'enforcing' { selboolean { 'rsync_export_all_ro': value => 'on', persistent => true } }  This works.... However, why is a different value being passed to puppet for this fact then the value I see when running facter? This is unexpected behaviour, and makes writing code harder, if one must devine fact values through trial and error... edit retag close merge delete ## 3 Answers Sort by » oldest newest most voted Hi Krist Are you sure it's not your ENC (foreman perhaps) that's overriding the value of 'selinux'? See https://github.com/theforeman/communi... more Hi Krist, I wonder if the selinux_enforced fact would suit your purpose better? Have a look here, and it appears that it will only have a true or false value depending on the whether SELinux is enabled or not: https://docs.puppetlabs.com/facter/2.2/core_facts.html#selinuxenforced more ## Comments I have indeed since found another fact I can use. However it remains that "facter" should produce output that is relevant. Using facts in puppet code becomes quite hard if on can't rely on facter to produce correct output. ( 2015-04-13 04:56:38 -0500 )edit Hi Krist, you will find this page very useful, because it documents the core facts available to you, as well as possible values for those facts. You shouldn't have to experiment as much to figure out the valid values: https://docs.puppetlabs.com/facter/2.2/core_facts.html ( 2015-04-13 11:35:35 -0500 )edit Ensure /etc/sysconfig/selinux exists and is a symlink to /etc/selinux/config (at least on RHEL). I ran into a similar issue and discovered that the symlink was missing. 'rpm -V selinux-policy' didn't catch the missing symlink. ( 2016-06-22 15:37:00 -0500 )edit I wasn't able to reproduce the behavior, and in general Puppet shouldn't be rewriting facts. This could take a little debugging; can you be more specific about what OS and Puppet/Facter versions you're using? My own testing: [root@n5zzcyfwyuy3s97 ~]# facter os {"name"=>"CentOS", "family"=>"RedHat", "release"=>{"major"=>"7", "minor"=>"0", "full"=>"7.0.1406"}} [root@n5zzcyfwyuy3s97 ~]# facter --version 2.4.3 [root@n5zzcyfwyuy3s97 ~]# puppet --version 3.7.5 [root@n5zzcyfwyuy3s97 ~]# facter -p selinux true [root@n5zzcyfwyuy3s97 ~]# puppet apply -e 'notify { "The value of selinux is${::selinux}":}'
Notice: Compiled catalog for n5zzcyfwyuy3s97 in environment production in 0.01 seconds
Notice: The value of selinux is true
Notice: /Stage[main]/Main/Notify[The value of selinux is true]/message: defined 'message' as 'The value of selinux is true'
Notice: Finished catalog run in 0.01 seconds

more