Add $selinux_ignore_defaults parameter with default value true#1043
Add $selinux_ignore_defaults parameter with default value true#1043wbclark wants to merge 2 commits intotheforeman:masterfrom
Conversation
Do not lookup default security context for file resources in catalogue compilation and attempt to manage them; instead defer context lookups to the system itself when the files are actually created. Useful during initial installs, because Puppet can install packages like foreman-selinux which modify the security policy after the context lookups were performed, which breaks idempotence. This can be disabled after the initial install, to allow Puppet to remedy drift in security context.
Since the module now has an option to run without managing file security context, this workaround is not needed.
ekohl
left a comment
ekohl
left a comment
There was a problem hiding this comment.
I wonder about this approach. On the one hand, it does allow an initial install to pass. On the other, it can't rectify labels if they are incorrect.
A further enhancement to this could be to introduce a custom fact that checks if foreman-selinux is installed. Something like foreman_selinux_installed. Then you use selinux_ignore_defaults => !facts['foreman_selinux_installed']. In the initial run it'll avoid setting labels while in the future it rectifies contexts on managed files.
Thoughts on this?
| if $facts['os']['selinux']['enabled'] { | ||
| File { | ||
| selinux_ignore_defaults => $foreman::selinux_ignore_defaults, | ||
| } | ||
| } |
There was a problem hiding this comment.
I'm against this. It's way too broad and magic. Pretty sure this affects the whole catalog, not just the files created by this module.
Instead, can we set the property everywhere? It's more verbose, but also easier to follow.
| # Needed for idempotency when SELinux is enabled | ||
| if $foreman::repo::configure_scl_repo { | ||
| package { 'rh-redis5-redis': | ||
| ensure => installed, | ||
| require => Class['foreman::repo'], | ||
| } | ||
| } |
There was a problem hiding this comment.
We've dropped EL7 so this should no longer be needed.
3 participants
The idea is that
foreman::selinux_ignore_defaults: truecan be used for initial install so that the system will determine security context for files at the time they are created, andforeman::selinux_ignore_defaults: falsecan be used on subsequent runs to remediate drift from the already installed policy.This allows foreman-installer to eliminate hooks/pre/32-install_selinux_packages.rb.
The one case this doesn't adequately cover would be the case where
foreman-selinuxpackage is updated by this module with changes to the policy. This would be solved for foreman_maintain users by having foreman_maintain run the installer withforeman::selinux_ignore_defaults: falsesince packages would always be updated prior to the installer running.