From f4e5f1c89fe6f3ba92e5801ea7a10be924ab7fc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Fri, 22 Mar 2019 07:24:09 +0100
Subject: [PATCH] Unmanage SELinux within puppet

Since [1] we manage SELinux state with ansible, at an earlier stage.

[1] https://review.openstack.org/645238

Depends-On: https://review.openstack.org/645238
Change-Id: I1b4cc5c510793d5fc908c8369a2f6a06c4ccd886
Related-Bug: #1821178
Related-Bug: #1821025
---
 manifests/selinux.pp                 | 34 ++++-------------------
 spec/classes/tripleo_selinux_spec.rb | 41 ++--------------------------
 2 files changed, 8 insertions(+), 67 deletions(-)

diff --git a/manifests/selinux.pp b/manifests/selinux.pp
index c5d13e2b6..72f94d7e1 100644
--- a/manifests/selinux.pp
+++ b/manifests/selinux.pp
@@ -41,12 +41,17 @@
 #   Note: Those module should be in the $directory path
 #
 class tripleo::selinux (
-  $mode      = 'enforcing',
   $directory = '/usr/share/selinux/',
   $booleans  = [],
   $modules   = [],
+  # Deprecated
+  $mode      = undef,
 ) {
 
+  if $mode {
+    warning('The "mode" parameter is deprecated.')
+  }
+
   if $::osfamily != 'RedHat'  {
     fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS")
   }
@@ -61,33 +66,6 @@ class tripleo::selinux (
     selmoduledir => $directory,
   }
 
-  file { '/etc/selinux/config':
-    ensure  => present,
-    mode    => '0444',
-    content => template('tripleo/selinux/sysconfig_selinux.erb')
-  }
-
-  $current_mode = $::selinux? {
-    false   => 'disabled',
-    default => $::selinux_current_mode,
-  }
-
-  if $current_mode != $mode {
-    case $mode {
-      /^(disabled|permissive)$/: {
-        if $current_mode == 'enforcing' {
-          exec { '/sbin/setenforce 0': }
-        }
-      }
-      'enforcing': {
-        exec { '/sbin/setenforce 1': }
-      }
-      default: {
-        fail('You must specify a mode (enforcing, permissive, or disabled)')
-      }
-    }
-  }
-
   selboolean { $booleans :
     persistent => true,
   }
diff --git a/spec/classes/tripleo_selinux_spec.rb b/spec/classes/tripleo_selinux_spec.rb
index 2e017b970..33a721393 100644
--- a/spec/classes/tripleo_selinux_spec.rb
+++ b/spec/classes/tripleo_selinux_spec.rb
@@ -21,7 +21,7 @@ describe 'tripleo::selinux' do
 
   shared_examples_for 'tripleo::selinux' do
 
-    context 'with selinux enforcing' do
+    context 'sebool and semodule management' do
       before :each do
         facts.merge!({
           :selinux              => true,
@@ -30,48 +30,11 @@ describe 'tripleo::selinux' do
       end
 
       let :params do
-        { :mode       => 'disabled',
-          :booleans   => ['foo', 'bar'],
+        { :booleans   => ['foo', 'bar'],
           :modules    => ['module1', 'module2'],
           :directory  => '/path/to/modules'}
       end
 
-      it 'runs setenforce 0' do
-        is_expected.to contain_exec('/sbin/setenforce 0')
-      end
-
-      it 'enables the SELinux boolean' do
-        is_expected.to contain_selboolean('foo').with(
-          :persistent => true,
-          :value      => 'on',
-        )
-      end
-
-      it 'enables the SELinux modules' do
-        is_expected.to contain_selmodule('module1').with(
-          :ensure       => 'present',
-          :selmoduledir => '/path/to/modules',
-        )
-      end
-
-    end
-
-    context 'with selinux disabled' do
-      before :each do
-        facts.merge!({ :selinux => false })
-      end
-
-      let :params do
-        { :mode       => 'enforcing',
-          :booleans   => ['foo', 'bar'],
-          :modules    => ['module1', 'module2'],
-          :directory  => '/path/to/modules'}
-      end
-
-      it 'runs setenforce 1' do
-        is_expected.to contain_exec('/sbin/setenforce 1')
-      end
-
       it 'enables the SELinux boolean' do
         is_expected.to contain_selboolean('foo').with(
           :persistent => true,