right now nothing in configure requires selinux to be permissive before running, and thus selinux could still be enforcing, preventing the aeolus seed data from being created.
if any other components require selinux to be permissive, we should create policy exceptions for those operations and remove the selinux permissive bits --- recipes/aeolus_recipe/manifests/conductor.pp | 2 +- recipes/apache/manifests/init.pp | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/recipes/aeolus_recipe/manifests/conductor.pp b/recipes/aeolus_recipe/manifests/conductor.pp index cd2934a..86c1210 100644 --- a/recipes/aeolus_recipe/manifests/conductor.pp +++ b/recipes/aeolus_recipe/manifests/conductor.pp @@ -265,7 +265,7 @@ define aeolus::conductor::login($user,$password){ -d commit=submit \ -c /tmp/aeolus-${user}.cookie", onlyif => "/usr/bin/test ! -f /tmp/aeolus-${user}.cookie || "" == "`curl -X GET http://localhost/conductor -b /tmp/aeolus-${user}.cookie -i --silent | grep 'HTTP/1.1 200'`"", - require => Service['aeolus-conductor']} + require => Service['aeolus-conductor', 'httpd']} }
define aeolus::conductor::logout($user){ diff --git a/recipes/apache/manifests/init.pp b/recipes/apache/manifests/init.pp index 80d8980..79f15f9 100644 --- a/recipes/apache/manifests/init.pp +++ b/recipes/apache/manifests/init.pp @@ -9,12 +9,17 @@ class apache { package { "mod_ssl": ensure => installed } }
+ # if selinux is enabled and we want to use mod_proxy, we need todo this + exec{'permit-http-networking': + command => '/usr/sbin/setsebool httpd_can_network_connect 1', + logoutput => true } + service { "httpd": ensure => running, - require => Package["httpd"], + require => [Package["httpd"], Exec['permit-http-networking']], hasrestart => true, hasstatus => true, - enable => true, + enable => true }
exec { "reload-apache":