On Fri, Sep 21, 2012 at 8:23 AM, <no-re...@cfengine.com> wrote: > Forum: CFEngine Help > Subject: Managing Booleans > Author: daveseff > Link to topic: https://cfengine.com/forum/read.php?3,27478,27478#msg-27478 > > I need to manage SElinux contexts on my systems. With that, I need to set > booleans either on or off with setsebool. It there an efficient way to manage > booleans in CFengine?
There isn't native support for SELinux booleans in CFEngine yet. I set booleans with a commands type promise of "/usr/sbin/setsebool -P name value". This is efficient as far as the interface with the admin user is concerned - in other words, it is easy to read and understand what this policy is doing. It is not efficient from the point of view of utilization of system resources (as this command would run every time CFEngine runs, whether its needed or not). However the command is still convergent. So if a human admin or intruder were to toggle this boolean, the next run of CFEngine would repair it. But if it is already set, it'll stay set. I have not experimented with running "getsebool" first to obtain and parse the current value, and then only run "setsebool" if need, to see if such an approach is lighter in weight partly because the Knowledge Management win (having a concise policy) is big in my book. But that's the way to go to make this policy more efficient, within the current constraints of having to use an external command to interface with SELinux. Best, -at _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
