Merge "Unmanage SELinux within puppet"

2019-03-26 11:55:57 +00:00 · 2019-03-26 11:55:57 +00:00 · 78f66b76fc
commit 78f66b76fc
parent bf6917c524 f4e5f1c89f
2 changed files with 8 additions and 67 deletions
--- a/manifests/selinux.pp
+++ b/manifests/selinux.pp
@ -41,12 +41,17 @@
 #   Note: Those module should be in the $directory path
 #
 class tripleo::selinux (
-  $mode      = 'enforcing',
  $directory = '/usr/share/selinux/',
  $booleans  = [],
  $modules   = [],
+  # Deprecated
+  $mode      = undef,
 ) {

+  if $mode {
+    warning('The "mode" parameter is deprecated.')
+  }
+
  if $::osfamily != 'RedHat'  {
    fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS")
  }
@ -61,33 +66,6 @@ class tripleo::selinux (
    selmoduledir => $directory,
  }

-  file { '/etc/selinux/config':
-    ensure  => present,
-    mode    => '0444',
-    content => template('tripleo/selinux/sysconfig_selinux.erb')
-  }
-
-  $current_mode = $::selinux? {
-    false   => 'disabled',
-    default => $::selinux_current_mode,
-  }
-
-  if $current_mode != $mode {
-    case $mode {
-      /^(disabled|permissive)$/: {
-        if $current_mode == 'enforcing' {
-          exec { '/sbin/setenforce 0': }
-        }
-      }
-      'enforcing': {
-        exec { '/sbin/setenforce 1': }
-      }
-      default: {
-        fail('You must specify a mode (enforcing, permissive, or disabled)')
-      }
-    }
-  }
-
  selboolean { $booleans :
    persistent => true,
  }
--- a/spec/classes/tripleo_selinux_spec.rb
+++ b/spec/classes/tripleo_selinux_spec.rb
@ -21,7 +21,7 @@ describe 'tripleo::selinux' do

  shared_examples_for 'tripleo::selinux' do

-    context 'with selinux enforcing' do
+    context 'sebool and semodule management' do
      before :each do
        facts.merge!({
          :selinux              => true,
@ -30,48 +30,11 @@ describe 'tripleo::selinux' do
      end

      let :params do
-        { :mode       => 'disabled',
-          :booleans   => ['foo', 'bar'],
+        { :booleans   => ['foo', 'bar'],
          :modules    => ['module1', 'module2'],
          :directory  => '/path/to/modules'}
      end

-      it 'runs setenforce 0' do
-        is_expected.to contain_exec('/sbin/setenforce 0')
-      end
-
-      it 'enables the SELinux boolean' do
-        is_expected.to contain_selboolean('foo').with(
-          :persistent => true,
-          :value      => 'on',
-        )
-      end
-
-      it 'enables the SELinux modules' do
-        is_expected.to contain_selmodule('module1').with(
-          :ensure       => 'present',
-          :selmoduledir => '/path/to/modules',
-        )
-      end
-
-    end
-
-    context 'with selinux disabled' do
-      before :each do
-        facts.merge!({ :selinux => false })
-      end
-
-      let :params do
-        { :mode       => 'enforcing',
-          :booleans   => ['foo', 'bar'],
-          :modules    => ['module1', 'module2'],
-          :directory  => '/path/to/modules'}
-      end
-
-      it 'runs setenforce 1' do
-        is_expected.to contain_exec('/sbin/setenforce 1')
-      end
-
      it 'enables the SELinux boolean' do
        is_expected.to contain_selboolean('foo').with(
          :persistent => true,