default SELinux mode and override possibility about puppet-selinux HOT 4 CLOSED

You shouldn't be modifying the params.pp, that's the point of the class being parameterized. If you want to set different values per-host, either you need to have the logic in your Puppet code that determines the value and then pass that for the parameter, you need to include the selinux class separately per host (or per group of hosts with the same settings), or you need to inject the data via Hiera or an ENC.

from puppet-selinux.

Because of #64 we had to do something to get around the unintended default behavior.

We have a baseclass.pp that we use on all our servers, this can be further divided into logical server groups. But however we divide things into logical groups that there will be exceptions to the rule of having SELinux enabled per default. How can one override the default setting?

What I am looking for is an override option. We would like to have a default (global or per group of servers) that ensures that SELinux is in enforcing mode. There are always exceptions to such rules whether we like it or not. How can we override the default to set SELinux in permissive mode on a per host basis?

from puppet-selinux.

You'd do something like this:

class baseclass ($selinux_mode = 'enforcing') {
  class { 'selinux':
    mode => $selinux_mode,
  }
}

Then you can set selinux_mode either by modifying where you include baseclass, using Hiera automatic data bindings, or using an ENC.

You could also do something like create a fact for whether you want SELinux or not or manually use the hiera() function to get a value, but those aren't really best-practice for this use case.

from puppet-selinux.

Oh, the other option is since #67 fixed the module to not manage the SELinux mode when you don't explicitly set it, you can manually set it on every node and not specify it with the module, but that's just decreasing what you manage, which really isn't a solution.

from puppet-selinux.