From b9b1db627a840ef52ff96611bf983664f42acfbe Mon Sep 17 00:00:00 2001 From: Bart-Jan Vrielink Date: Fri, 22 Dec 2017 15:16:29 +0100 Subject: [PATCH] Fixing change-selinux-status-to-disabled exec setenforce only accepts enforcing or permissive (or 0 and 1) as possible modes. When calling the selinux module with the current mode as either enforcing or permissive and $mode => disabled, the exec change-selinux-status-to-disabled will give exit code 1. A reboot does solve this, but until that happens. each puppet run will result in a report with a corrective change. --- manifests/config.pp | 11 +++++++---- spec/classes/selinux_config_mode_spec.rb | 1 - 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index de04efd8..b58c4240 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -80,10 +80,13 @@ } } - exec { "change-selinux-status-to-${_real_mode}": - command => "setenforce ${sestatus}", - unless => "getenforce | grep -Eqi '${_real_mode}|disabled'", - path => '/bin:/sbin:/usr/bin:/usr/sbin', + # setenforce only works when SELinux itself is enabled + if $_real_mode in ['enforcing','permissive'] { + exec { "change-selinux-status-to-${_real_mode}": + command => "setenforce ${sestatus}", + unless => "getenforce | grep -Eqi '${_real_mode}|disabled'", + path => '/bin:/sbin:/usr/bin:/usr/sbin', + } } } diff --git a/spec/classes/selinux_config_mode_spec.rb b/spec/classes/selinux_config_mode_spec.rb index 11c7da29..5970a7f5 100644 --- a/spec/classes/selinux_config_mode_spec.rb +++ b/spec/classes/selinux_config_mode_spec.rb @@ -59,7 +59,6 @@ it { is_expected.to contain_file('/var/lib/puppet/puppet-selinux') } it { is_expected.to contain_file_line('set-selinux-config-to-disabled').with(line: 'SELINUX=disabled') } - it { is_expected.to contain_exec('change-selinux-status-to-disabled').with(command: 'setenforce 0') } it { is_expected.not_to contain_file('/.autorelabel') } end