From b0a4c9ff12c3c405bfccff55fd147ffa83dbc419 Mon Sep 17 00:00:00 2001 From: Alfredo Moralejo Date: Fri, 8 Jan 2021 17:24:24 +0100 Subject: [PATCH] Disable selinux defaults enforcement in File/Concat resources Last selinux-policy in CentOS Stream adds patch for [1] which modifies default context for symlinks under /etc/httpd. That's breaking idempotency for files created with File/Concat resources under that directory because of [2]. This patch is disabling default selinux context enforcement for all File/Concat resources until we have a fix for [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1900650 [2] https://tickets.puppetlabs.com/browse/PUP-7559 Conflicts: fixtures/scenario001.pp fixtures/scenario004.pp Change-Id: Ic92889cc480c316df9454186ffadf3a77fd8ed26 (cherry picked from commit 0f00dde75739314270c493528b2160bb80e60ca2) --- fixtures/scenario001.pp | 7 +++++++ fixtures/scenario002.pp | 7 +++++++ fixtures/scenario003.pp | 7 +++++++ fixtures/scenario004.pp | 7 +++++++ 4 files changed, 28 insertions(+) diff --git a/fixtures/scenario001.pp b/fixtures/scenario001.pp index de6ad6f8b..5228374f0 100644 --- a/fixtures/scenario001.pp +++ b/fixtures/scenario001.pp @@ -31,6 +31,13 @@ if ($::os['family'] == 'RedHat' and Integer.new($::os['release']['major']) > 7) $ceph = true } +if $::osfamily == 'RedHat' { + # (amoralej) - disable selinux defaults until + # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed + Concat { selinux_ignore_defaults => true } + File { selinux_ignore_defaults => true } +} + case $::osfamily { 'Debian': { $ipv6 = false diff --git a/fixtures/scenario002.pp b/fixtures/scenario002.pp index c9f33ffbb..01996542d 100644 --- a/fixtures/scenario002.pp +++ b/fixtures/scenario002.pp @@ -22,6 +22,13 @@ if ($::os['name'] == 'Ubuntu') or ($::os['name'] == 'Fedora') or $ssl = true } +if $::osfamily == 'RedHat' { + # (amoralej) - disable selinux defaults until + # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed + Concat { selinux_ignore_defaults => true } + File { selinux_ignore_defaults => true } +} + case $::osfamily { 'Debian': { $ipv6 = false diff --git a/fixtures/scenario003.pp b/fixtures/scenario003.pp index deeb7b7eb..7a1b0c12b 100644 --- a/fixtures/scenario003.pp +++ b/fixtures/scenario003.pp @@ -22,6 +22,13 @@ if ($::os['name'] == 'Ubuntu') or ($::os['name'] == 'Fedora') or $ssl = true } +if $::osfamily == 'RedHat' { + # (amoralej) - disable selinux defaults until + # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed + Concat { selinux_ignore_defaults => true } + File { selinux_ignore_defaults => true } +} + case $::osfamily { 'Debian': { $ipv6 = false diff --git a/fixtures/scenario004.pp b/fixtures/scenario004.pp index b569f49aa..17de93243 100644 --- a/fixtures/scenario004.pp +++ b/fixtures/scenario004.pp @@ -31,6 +31,13 @@ if ($::os['family'] == 'RedHat' and Integer.new($::os['release']['major']) > 7) $ceph = true } +if $::osfamily == 'RedHat' { + # (amoralej) - disable selinux defaults until + # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed + Concat { selinux_ignore_defaults => true } + File { selinux_ignore_defaults => true } +} + if $::operatingsystem == 'Ubuntu' { $ipv6 = false # Watcher packages are not available in Ubuntu repository.