Why is selinux fact different for puppet then for facter?

asked 2015-04-12

Krist van Besien

updated 2015-05-07

I want to set a selinux boolean, but want to make it conditional on selinux being enabled, to avoid errors on hosts were it isn't.

There is a fact that is true of false depending on the selinux state:

[root@monaghan ~]# facter -p selinux

So I used the following code:

if str2bool("${::selinux}") {
    selboolean { 'rsync_export_all_ro':
      value      => 'on',
      persistent => true

However this does not work. I get the following error:

 Error 400 on SERVER: str2bool(): Unknown type of boolean given

From the str2bool source I deduced that this error is thrown when a string is passed that does not match any of the true or false patterns in the function.

So I added a line to see what the value for "selinux" really was:

notify { "The value of selinux is ${::selinux}":}

And got this output:

Notice: The value of selinux is enforcing

This explains why my code wasn't working. So I could fix it by using a different test.

if $::selinux == 'enforcing'  {
    selboolean { 'rsync_export_all_ro':
      value      => 'on',
      persistent => true

This works....

However, why is a different value being passed to puppet for this fact then the value I see when running facter? This is unexpected behaviour, and makes writing code harder, if one must devine fact values through trial and error...

answered 2016-06-22

alexjfisher

Hi Krist

Are you sure it's not your ENC (foreman perhaps) that's overriding the value of 'selinux'? See

answered 2015-04-13

GregLarkin

Hi Krist, I wonder if the selinux_enforced fact would suit your purpose better? Have a look here, and it appears that it will only have a true or false value depending on the whether SELinux is enabled or not:

I have indeed since found another fact I can use. However it remains that "facter" should produce output that is relevant. Using facts in puppet code becomes quite hard if on can't rely on facter to produce correct output.

Krist van Besien ( 2015-04-13 04:56:38 -0600 )

Hi Krist, you will find this page very useful, because it documents the core facts available to you, as well as possible values for those facts. You shouldn't have to experiment as much to figure out the valid values:

GregLarkin ( 2015-04-13 11:35:35 -0600 )

Ensure /etc/sysconfig/selinux exists and is a symlink to /etc/selinux/config (at least on RHEL). I ran into a similar issue and discovered that the symlink was missing. 'rpm -V selinux-policy' didn't catch the missing symlink.

bschonecker ( 2016-06-22 15:37:00 -0600 )

answered 2015-04-13

MichaelSmith

I wasn't able to reproduce the behavior, and in general Puppet shouldn't be rewriting facts. This could take a little debugging; can you be more specific about what OS and Puppet/Facter versions you're using?

My own testing:

[root@n5zzcyfwyuy3s97 ~]# facter os
{"name"=>"CentOS", "family"=>"RedHat", "release"=>{"major"=>"7", "minor"=>"0", "full"=>"7.0.1406"}}
[root@n5zzcyfwyuy3s97 ~]# facter --version
[root@n5zzcyfwyuy3s97 ~]# puppet --version
[root@n5zzcyfwyuy3s97 ~]# facter -p selinux
[root@n5zzcyfwyuy3s97 ~]# puppet apply -e 'notify { "The value of selinux is ${::selinux}":}'
Notice: Compiled catalog for n5zzcyfwyuy3s97 in environment production in 0.01 seconds
Notice: The value of selinux is true
Notice: /Stage[main]/Main/Notify[The value of selinux is true]/message: defined 'message' as 'The value of selinux is true'
Notice: Finished catalog run in 0.01 seconds
Asked: 2015-04-12 01:56:14 -0600

Seen: 897 times

Last updated: Jun 22 '16