Two immediate possibilities come to mind:
(1) take selinux out of "common" and define it in each individual node
(2) define the exceptions to "selinux => enforcing" like in this:
http://www.mail-archive.com/puppet-users@googlegroups.com/msg00697.html
“Sometimes I think the surest sign that intelligent life exists elsewhere in
the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
----- Jonathan Gazeley <jonathan.gaze...@bristol.ac.uk> wrote:
> I manage quite a few CentOS 6 servers with puppet, and I want to start
> using puppet-selinux[1] to enable/disable it.
>
> My "common" node class, inherited by all servers, should say that all
> servers run SELinux in enforcing mode. But on one or two servers I want
> to run in permissive mode for various reasons.
>
> Am I right in thinking that doing the following will cause a conflict,
> as selinux is applied twice? Is there a better way of achieving this?
>
>
> class common {
> include selinux(enforcing)
> ...
> ...
> }
>
> node server1 {
> include common
> }
>
> node server2 {
> include common
> include selinux(permissive)
> }
>
>
> Thanks,
> Jonathan
>
> [1] https://github.com/jfryman/puppet-selinux
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
