A collection of task oriented solutions in Puppet

 

Disable SELinux

Challenge

You want to disable SELinux

Solution

Puppet doesn't provide a native way to change the systems SELinux status so you'll need to install a module to manage it.

$ sudo /opt/puppetlabs/bin/puppet module install puppet-selinux

...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
 - puppet-selinux (v1.5.2)
  - puppetlabs-stdlib (v4.25.1)
...

Once the module is installed you can change SELinux to be permissive and log but allow policy violations rather than blocking everything when in enforcing mode:

class lesssecure {

  class { selinux:
    mode => 'permissive',
  }

}

Explanation

SELinux is an amazingly powerful layer of security but sometimes you will need to remove a system from its safety. There are a few good reasons for this, such as troubleshooting in a lab or experimental environment, and a few not so pleasant ones including operating a badly packaged legacy application. Puppet doesn't judge, but it does provide a solution you can download from the forge.

$ sudo /opt/puppetlabs/bin/puppet module install puppet-selinux

...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
 - puppet-selinux (v1.5.2)
  - puppetlabs-stdlib (v4.25.1)
...

Before we make any changes we will check to ensure SELinux is running and enforcing security on our system.

facter os.selinux

{
  config_mode => "enforcing",
  current_mode => "enforcing",
  enabled => true,
  enforced => true,
  policy_version => "31"
}

The title of this recipe is a little misleading, we're not going to show how to turn SELinux off, but we are going to change it to be in permissive mode. When operating in this way it will still check the usual operations but will not prevent them from happening. You can run in permissive until everything works and use other SELinux tools to audit the policy violations and, hopefully, configure your system to run the software back in enforcing mode.

class lesssecure {

  class { selinux:
    mode => 'permissive',
  }

}
facter os.selinux

{
  config_mode => "permissive",
  current_mode => "permissive",
  enabled => true,
  enforced => false,
  policy_version => "31"
}

Once everything is working and you've written your own policy customisations you can configure puppet to enable SELinux:

class securer {

  class { selinux:
    mode => 'enforcing',
  }

}

And once puppet has completed we verify using facter.

facter os.selinux

{
  config_mode => "enforcing",
  current_mode => "enforcing",
  enabled => true,
  enforced => true,
  policy_version => "31"
}

See also