"checkloaded" exec always schedules build/install on RHEL7 / CentOS 7 about puppet-selinux HOT 7 CLOSED

I've determined that this is probably an issue with Facter on RHEL7/CentOS7. The module class is using the fact ::selinux_config_policy in the path to check if the module exists or not, but in RHEL7/CentOS 7, that fact returns unknown:

[root@host ~]# facter selinux_config_policy
unknown

I see there's already a bug report in the Facter issues here: https://tickets.puppetlabs.com/browse/FACT-756

..so I'm assuming this may be an issue with Facter, not your module, but perhaps some workaround could be implemented? Maybe a way to override that variable as a parameter?

from puppet-selinux.

i fixed this on my own system by editing module.pp and changing the class definition to:

define selinux::module(
  $source,
  $ensure         = 'present',
  $use_makefile   = false,
  $makefile       = '/usr/share/selinux/devel/Makefile',
  $policy         = $::selinux_config_policy
) {

and changed the checkloaded exec to:

  exec { "${name}-checkloaded":
    refreshonly => false,
    creates     => "/etc/selinux/${policy}/modules/active/modules/${name}.pp",
    command     => 'true',
    notify      => Exec["${name}-buildmod"],
  }

and then changed my selinux rules to specify the policy:

selinux::module { 'varnish_ownership':
    source   => 'puppet:///modules/varnish/selinux/varnish_ownership.te',
    policy   => 'targeted'
}

from puppet-selinux.

Actually the lib/facter code for us had several issues:

• Missing require 'facter'
• Confine ... selinux => true missing single quotes, i.e. selinux => 'true'
• Facter::Core::Execution.exec didn't work

So our facter selinux_custom_policy.rb now looks like this:
require 'facter'

Facter.add(:selinux_custom_policy) do
confine :kernel => 'Linux', :osfamily => 'RedHat', :operatingsystemmajrelease => '7', :selinux => 'true'
setcode {Facter::Util::Resolution.exec('sestatus | grep "Loaded policy name" | awk '{print $4}'') }
end

from puppet-selinux.

@batman1007 confirmed issue on my servers as well. Submitted PR #45.

from puppet-selinux.

Resubmitted after noticing I missed the confine issue + escaping for awk. PR #46

from puppet-selinux.

As mentioned above, I think that we are seeing an issue with facter 'selinux' returning a string rather than a boolean, hence why we had to quote true in the facter code - it didn't confine correctly otherwise.

We're on facter version 1.7.5 and I notice this:
rodjek/puppet-lint#197

Thanks,
Dan.

from puppet-selinux.

@batman1007 agreed, that's why I added a quoted value in the confine.

from puppet-selinux.