From cf85c5ac03637a4e290ccc1eab404efb49e59a88 Mon Sep 17 00:00:00 2001
From: Corey O'Brien <corey.obrien@rackspace.com>
Date: Tue, 9 Feb 2016 10:19:51 -0500
Subject: [PATCH] Turn selinux back on after cloud-init

After cloud-init has run configuration steps, turn on selinux again
for security reasons.

Change-Id: I12a5b2ff3e71be39aa84093fce8b1c2b1be9d473
Closes-Bug: 1543308
---
 magnum/templates/kubernetes/fragments/disable-selinux.sh      | 4 ----
 .../templates/kubernetes/fragments/enable-services-master.sh  | 2 ++
 .../templates/kubernetes/fragments/enable-services-minion.sh  | 2 ++
 magnum/templates/swarm/fragments/disable-selinux.sh           | 4 ----
 magnum/templates/swarm/fragments/enable-services.sh           | 2 ++
 5 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/magnum/templates/kubernetes/fragments/disable-selinux.sh b/magnum/templates/kubernetes/fragments/disable-selinux.sh
index 888c0e4467..49e9dc79a8 100644
--- a/magnum/templates/kubernetes/fragments/disable-selinux.sh
+++ b/magnum/templates/kubernetes/fragments/disable-selinux.sh
@@ -2,7 +2,3 @@
 #!/bin/sh
 
 setenforce 0
-
-sed -i '
-  /^SELINUX=/ s/=.*/=permissive/
-' /etc/selinux/config
diff --git a/magnum/templates/kubernetes/fragments/enable-services-master.sh b/magnum/templates/kubernetes/fragments/enable-services-master.sh
index cc13a02c15..ddf55809d2 100644
--- a/magnum/templates/kubernetes/fragments/enable-services-master.sh
+++ b/magnum/templates/kubernetes/fragments/enable-services-master.sh
@@ -9,3 +9,5 @@ for service in etcd docker kube-apiserver kubelet; do
     systemctl enable $service
     systemctl --no-block start $service
 done
+
+setenforce 1
diff --git a/magnum/templates/kubernetes/fragments/enable-services-minion.sh b/magnum/templates/kubernetes/fragments/enable-services-minion.sh
index 0253a37351..79596a420d 100644
--- a/magnum/templates/kubernetes/fragments/enable-services-minion.sh
+++ b/magnum/templates/kubernetes/fragments/enable-services-minion.sh
@@ -15,3 +15,5 @@ for service in docker kubelet; do
     systemctl enable $service
     systemctl --no-block start $service
 done
+
+setenforce 1
diff --git a/magnum/templates/swarm/fragments/disable-selinux.sh b/magnum/templates/swarm/fragments/disable-selinux.sh
index 888c0e4467..49e9dc79a8 100644
--- a/magnum/templates/swarm/fragments/disable-selinux.sh
+++ b/magnum/templates/swarm/fragments/disable-selinux.sh
@@ -2,7 +2,3 @@
 #!/bin/sh
 
 setenforce 0
-
-sed -i '
-  /^SELINUX=/ s/=.*/=permissive/
-' /etc/selinux/config
diff --git a/magnum/templates/swarm/fragments/enable-services.sh b/magnum/templates/swarm/fragments/enable-services.sh
index d0f064e403..1c7ed9790a 100644
--- a/magnum/templates/swarm/fragments/enable-services.sh
+++ b/magnum/templates/swarm/fragments/enable-services.sh
@@ -7,3 +7,5 @@ for service in $NODE_SERVICES; do
     systemctl enable $service
     systemctl --no-block start $service
 done
+
+setenforce 1