Disable selinux defaults enforcement in File/Concat resources

Last selinux-policy in CentOS Stream adds patch for [1] which modifies default context for symlinks under /etc/httpd. That's breaking idempotency for files created with File/Concat resources under that directory because of [2]. This patch is disabling default selinux context enforcement for all File/Concat resources until we have a fix for [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1900650 [2] https://tickets.puppetlabs.com/browse/PUP-7559 Conflicts: fixtures/scenario001.pp fixtures/scenario004.pp Change-Id: Ic92889cc480c316df9454186ffadf3a77fd8ed26 (cherry picked from commit 0f00dde757)
2021-01-08 17:24:24 +01:00 · 2021-01-08 17:24:24 +01:00 · 0cc3bc6c63
parent de71d3fc3f
commit 0cc3bc6c63
4 changed files with 28 additions and 0 deletions
--- a/fixtures/scenario001.pp
+++ b/fixtures/scenario001.pp
@ -53,6 +53,13 @@ if ($::os['family'] == 'RedHat' and Integer.new($::os['release']['major']) > 7)
  $ceph    = true
 }

+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
  'Debian': {
    $ipv6                    = false
--- a/fixtures/scenario002.pp
+++ b/fixtures/scenario002.pp
@ -44,6 +44,13 @@ if ($::os['name'] == 'Ubuntu') or ($::os['name'] == 'Fedora') or
  $ssl = true
 }

+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
  'Debian': {
    $ipv6             = false
--- a/fixtures/scenario003.pp
+++ b/fixtures/scenario003.pp
@ -44,6 +44,13 @@ if ($::os['name'] == 'Ubuntu') or ($::os['name'] == 'Fedora') or
  $ssl = true
 }

+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
  'Debian': {
    $ipv6            = false
--- a/fixtures/scenario004.pp
+++ b/fixtures/scenario004.pp
@ -53,6 +53,13 @@ if ($::os['family'] == 'RedHat' and Integer.new($::os['release']['major']) > 7)
  $ceph    = true
 }

+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 if $::operatingsystem == 'Ubuntu' {
  $ipv6                = false
  # Watcher packages are not available in Ubuntu repository.