Forum: Cfengine Help Subject: Re: CFEngine in co-existance with SELINUX Author: davidlee Link to topic: https://cfengine.com/forum/read.php?3,22644,22655#msg-22655
It's a couple of years since I got close to doing hand-to-hand combat with SELinux, and even then I mostly chickened out. And I've been away from an SELinux since then, until just recently. I understand that the message "SELinux is preventing ...", when the system is in permissive mode, is merely shorthand for what would have happened if the system had been in enforcing mode. (Indeed, that is the main purpose of "permissive", isn't it?) The "sealert" explains in more detail: try an example. Deb raises a good general point, which I believe we ought to acknowledge. At my site, we have just installed some RHEL machines, and the installation defaults to "enforcing". (We opted for "permissive"!) And Fedora similarly wants to encourage the end-user to use SELinux. My own view is that it would be prudent for the "cfengine" installation itself to be SELinux-aware, so that at least its own internal workings work cleanly with SELinux. Our own log files are loaded with messages of the form "SELinux is preventing ifconfig (ifconfig_t) "write" to /var/cfengine/outputs/..."; these messages, referring to cfengine's own files, really should not be there. (Now if a site writes cfengine rules which edit system files, that might be a different matter, but even there one would hope that cfengine would preserve SELinux settings on pre-existing files.) So I think Deb raises a valid point about the great desirability of cfengine working co-operatively with SELinux. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
