selinux::ensure: true results in Permissive mode

Description

Description

  • The parameter selinux::ensure is type Selinux::State, which is either a Boolean or one of the Strings 'enforcing', 'permissive', or 'disabled'. The defaults value is the Boolean true.

  • $selinux::state is a class variable derived from selinux::ensure, but is guaranteed to be only of the String Selinux::State states.

  • In selinux::config an {{ setlinux_state}} resource is declared using the value of $::selinux::ensure (default: Boolean false)

  • In the provider for setlinux_state, setenforce "1" (enforcing) will only be run when if the desired state was the String 'enforcing', otherwise (e.g., in the case of Boolean true) it will run setenforce "0" (permissive).

Resulting issues

  • It is possible for setlinux_state to receive Booleans, which it does not handle correctly

  • The default value for selinux::ensure does the opposite of what it was intended to do

  • The intended inputs and effects of the selinux::ensure parameter are insufficiently documented: The effect of true in a three-state system is ambiguous without further explanation

Acceptance Criteria

  • The effects of selinux::ensure are correct and sufficiently documented.

  • Either:

  • selinux::config is modified to declare the the selinux_state resource using $::selinux::state or:

  • selinux_state is modified to correctly handle the Boolean value `true` from selinux::ensure.

Epic Link

None

Story Points

6

Components

Sprint

None

Priority

Medium

Assignee

Chris Tessmer
Configure