A collection of task oriented solutions in Puppet

 

Manage SELinux booleans

Challenge

You want to manage an SELinux boolean.

Solution

class enable_bool {

  selboolean { 'collectd_tcp_network_connect':
    # if persistent is set to false the change will be lost on reboot
    persistent => true,
    value      => on,
  }

}

Explanation

SELinux booleans allow parts of SELinux policy to be changed at runtime without requiring custom policies to be written. Each of the booleans typically controls if SELinux will permit an action or not.

You can list all the available booleans and their current values with getsebool.

$ getsebool -a | grep http
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off

You can gather more details, such as a description of the booleans purpose and its default value, by running semanage.

sudo semanage boolean --list
SELinux boolean                State  Default Description
...
httpd_can_network_connect      (off  ,  off)  Allow httpd to can network connect
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
...

The puppet resource to manage the boolean is a simple one and the only attributes you'll typically need to use are value, which controls if the boolean is on or off and persistent, which determines if the changes survive a reboot.