Community cookbook & SELinux Configuration

What’s the appropriate way to handle SELinux configuration for a
Vagrantfile or .kitchen.yml that ships with a community cookbook?

I updated the nexus cookbook to use a new base box
https://github.com/RiotGamesCookbooks/nexus-cookbook/issues/109 in the
Vagrantfile and now it will fail if you have recipe[nginx] on the run list,
because the new base box has SELinux enabled.

Is there a way to require the selinux cookbook as a dependency but only for
Vagrant & Test Kitchen? I was thinking of using that to just disable
SELinux but I wouldn’t want it to be a mandatory dependency for everyone.

Thanks!
Greg

On Wed, Jan 14, 2015 at 6:38 PM, Greg Barker fletch@fletchowns.net wrote:

What's the appropriate way to handle SELinux configuration for a Vagrantfile
or .kitchen.yml that ships with a community cookbook?

I updated the nexus cookbook to use a new base box in the Vagrantfile and
now it will fail if you have recipe[nginx] on the run list, because the new
base box has SELinux enabled.

Is there a way to require the selinux cookbook as a dependency but only for
Vagrant & Test Kitchen? I was thinking of using that to just disable SELinux
but I wouldn't want it to be a mandatory dependency for everyone.

My personal opinion (as one of the maintainers of the bento project)
is to just use baseboxes that have SELinux in a permissive state
(enabled but not enforcing). That gives the greatest flexibility
whilst testing.

  • Julian

--
[ Julian C. Dunn jdunn@aquezada.com * Sorry, I'm ]
[ WWW: Julian Dunn's Blog - Commentary on media, technology, and everything in between. * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]

Hmmm, I'm actually using the CentOS 6.6 bento box. It looks like
https://github.com/opscode/bento/blob/a4acd6fa2944457a3bd42ba4a38825642fe085de/packer/http/centos-6.6/ks.cfg
SELinux is supposed to be permissive?

I just tried with a simple Vagrantfile:

Vagrant.configure("2") do |config|
config.vm.box = "opscode-centos-6.6"
config.vm.box_url = "
http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.6_chef-provisionerless.box
"
end

Is this what I'm supposed to be seeing with that box?

$ vagrant up
$ vagrant ssh
[vagrant@localhost ~]$ getenforce
Enforcing
[vagrant@localhost ~]$ cat /etc/selinux/config

This file controls the state of SELinux on the system.

SELINUX= can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

disabled - No SELinux policy is loaded.

SELINUX=enforcing

SELINUXTYPE= can take one of these two values:

targeted - Targeted processes are protected,

mls - Multi Level Security protection.

SELINUXTYPE=targeted

On Wed, Jan 14, 2015 at 7:52 PM, Julian C. Dunn jdunn@aquezada.com wrote:

On Wed, Jan 14, 2015 at 6:38 PM, Greg Barker fletch@fletchowns.net
wrote:

What's the appropriate way to handle SELinux configuration for a
Vagrantfile
or .kitchen.yml that ships with a community cookbook?

I updated the nexus cookbook to use a new base box in the Vagrantfile and
now it will fail if you have recipe[nginx] on the run list, because the
new
base box has SELinux enabled.

Is there a way to require the selinux cookbook as a dependency but only
for
Vagrant & Test Kitchen? I was thinking of using that to just disable
SELinux
but I wouldn't want it to be a mandatory dependency for everyone.

My personal opinion (as one of the maintainers of the bento project)
is to just use baseboxes that have SELinux in a permissive state
(enabled but not enforcing). That gives the greatest flexibility
whilst testing.

  • Julian

--
[ Julian C. Dunn jdunn@aquezada.com * Sorry, I'm ]
[ WWW: Julian Dunn's Blog - Commentary on media, technology, and everything in between. * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]

Apparently CentOS 6.6 shipped with a broken anaconda that ignores the
setting in ks.cfg.

If you can give me a +1 to this I'll merge it:

  • Julian

On Wed, Jan 14, 2015 at 11:31 PM, Greg Barker fletch@fletchowns.net wrote:

Hmmm, I'm actually using the CentOS 6.6 bento box. It looks like SELinux is
supposed to be permissive?

I just tried with a simple Vagrantfile:

Vagrant.configure("2") do |config|
config.vm.box = "opscode-centos-6.6"
config.vm.box_url =
"http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.6_chef-provisionerless.box"
end

Is this what I'm supposed to be seeing with that box?

$ vagrant up
$ vagrant ssh
[vagrant@localhost ~]$ getenforce
Enforcing
[vagrant@localhost ~]$ cat /etc/selinux/config

This file controls the state of SELinux on the system.

SELINUX= can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

disabled - No SELinux policy is loaded.

SELINUX=enforcing

SELINUXTYPE= can take one of these two values:

targeted - Targeted processes are protected,

mls - Multi Level Security protection.

SELINUXTYPE=targeted

You could accomplish what you are looking for several different ways:

  •      Put the SELinux recipe you need into the Vagrantfile’s runlist.
    
  •      This one is a bit of an ugly hack: add a recipe to your cookbook that simply contains a script that calls “setenforce 0”. Use include_recipe to call it only if you are running from a Vagrantfile.
    
  •      Leave SELinux enabled, and make your cookbook compatible with SELinux. Since you are developing a community cookbook, this may actually be your best choice. After all, if your cookbook breaks for you with SELinux, it’s going to break for anybody else who uses it, too!
    

From: Greg Barker [mailto:fletch@fletchowns.net]
Sent: Wednesday, January 14, 2015 3:38 PM
To: chef@lists.opscode.com
Subject: [chef] Community cookbook & SELinux Configuration

What’s the appropriate way to handle SELinux configuration for a Vagrantfile or .kitchen.yml that ships with a community cookbook?

I updated the nexus cookbook to use a new base box in the Vagrantfile and now it will fail if you have recipe[nginx] on the run list, because the new base box has SELinux enabled.

Is there a way to require the selinux cookbook as a dependency but only for Vagrant & Test Kitchen? I was thinking of using that to just disable SELinux but I wouldn’t want it to be a mandatory dependency for everyone.

Thanks!
Greg

Thanks Julian! That fix worked great for me.

On Wed, Jan 14, 2015 at 9:39 PM, Julian C. Dunn jdunn@aquezada.com wrote:

Apparently CentOS 6.6 shipped with a broken anaconda that ignores the
setting in ks.cfg.

If you can give me a +1 to this I'll merge it:
centos-6.6: Force to set SELinux to a permissive mode by legal90 · Pull Request #306 · chef/bento · GitHub

  • Julian

On Wed, Jan 14, 2015 at 11:31 PM, Greg Barker fletch@fletchowns.net
wrote:

Hmmm, I'm actually using the CentOS 6.6 bento box. It looks like SELinux
is
supposed to be permissive?

I just tried with a simple Vagrantfile:

Vagrant.configure("2") do |config|
config.vm.box = "opscode-centos-6.6"
config.vm.box_url =
"
http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.6_chef-provisionerless.box
"
end

Is this what I'm supposed to be seeing with that box?

$ vagrant up
$ vagrant ssh
[vagrant@localhost ~]$ getenforce
Enforcing
[vagrant@localhost ~]$ cat /etc/selinux/config

This file controls the state of SELinux on the system.

SELINUX= can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

disabled - No SELinux policy is loaded.

SELINUX=enforcing

SELINUXTYPE= can take one of these two values:

targeted - Targeted processes are protected,

mls - Multi Level Security protection.

SELINUXTYPE=targeted

Here's how you put platform specific loosely coupled dependencies into
test-kitchen runs

selinux::disabled
https://github.com/chef-cookbooks/mysql/blob/master/.kitchen.yml#L12

apt
https://github.com/chef-cookbooks/mysql/blob/master/.kitchen.yml#L25

-s

On Thu, Jan 15, 2015 at 5:20 AM, Greg Barker fletch@fletchowns.net wrote:

Thanks Julian! That fix worked great for me.

On Wed, Jan 14, 2015 at 9:39 PM, Julian C. Dunn jdunn@aquezada.com wrote:

Apparently CentOS 6.6 shipped with a broken anaconda that ignores the
setting in ks.cfg.

If you can give me a +1 to this I'll merge it:
centos-6.6: Force to set SELinux to a permissive mode by legal90 · Pull Request #306 · chef/bento · GitHub

  • Julian

On Wed, Jan 14, 2015 at 11:31 PM, Greg Barker fletch@fletchowns.net
wrote:

Hmmm, I'm actually using the CentOS 6.6 bento box. It looks like SELinux
is
supposed to be permissive?

I just tried with a simple Vagrantfile:

Vagrant.configure("2") do |config|
config.vm.box = "opscode-centos-6.6"
config.vm.box_url =

"http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.6_chef-provisionerless.box"
end

Is this what I'm supposed to be seeing with that box?

$ vagrant up
$ vagrant ssh
[vagrant@localhost ~]$ getenforce
Enforcing
[vagrant@localhost ~]$ cat /etc/selinux/config

This file controls the state of SELinux on the system.

SELINUX= can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

disabled - No SELinux policy is loaded.

SELINUX=enforcing

SELINUXTYPE= can take one of these two values:

targeted - Targeted processes are protected,

mls - Multi Level Security protection.

SELINUXTYPE=targeted