Clarification on allow_disabled resource property
#153
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Clarification on
I'm seeking some clarification on the
allow_disabledproperty that I referenced in my closed bug report here: #152For some background, we had an issue where we enabled selinux with a custom policy module to allow access for an application. Since the
allow_disabledproperty by default prevents compiling policy modules unless selinux is enabled (as in, selinux has been enabled and the server has subsequently been rebooted) our policy module was not compiled/enabled until later. This gap in time resulted in our audit logs being pummeled and subsequently forwarded to an rsyslog server and causing some network contention.I'm curious if the behavior of the
allow_disabledproperty is reversed from its true intent. Is there a reason that, by default, an admin would want to forego compiling a module until after enabling selinux? Doing so would always create a scenario where applications would function poorly/unexpectedly (in the case of enforcing mode) in the time between rebooting a server to enable selinux and chef-clienting to compile the module.The text was updated successfully, but these errors were encountered: