Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Make selboolean management optional #849

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Feature: Make selboolean management optional #849

wants to merge 1 commit into from

Conversation

bastelfreak
Copy link
Member

No description provided.

ekohl
ekohl requested changes Jun 3, 2020
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some bikeshedding: manage_selinux could also imply foreman-selinux is not installed. How about manage_selinux_booleans?

manifests/init.pp Outdated Show resolved Hide resolved
manifests/init.pp Outdated Show resolved Hide resolved
ekohl
ekohl reviewed Jun 3, 2020
View reviewed changes
manifests/init.pp Outdated Show resolved Hide resolved
@ekohl ekohl mentioned this pull request Jul 6, 2020
Closed
alexjfisher
alexjfisher reviewed Oct 16, 2020
View reviewed changes
manifests/init.pp Outdated Show resolved Hide resolved
ekohl
ekohl approved these changes Oct 18, 2020
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@ekohl
Copy link
Member

ekohl commented Oct 18, 2020

It does look like the tests fail because of this. Mid taking a look?

alexjfisher
alexjfisher requested changes Oct 18, 2020
View reviewed changes
spec/classes/foreman_config_apache_spec.rb
@@ -15,6 +15,31 @@
end
end

describe 'without manage_selinux_booleans' do
it 'should contain the selinux resource' do
should contain_selboolean('httpd_can_network_connect')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not on systems that don't support SELinux it won't...

@ekohl
Copy link
Member

ekohl commented Oct 18, 2020

puppet-foreman/spec/classes/foreman_config_ipa_spec.rb

Lines 58 to 74 in 63bba21

context 'with SELinux' do
let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }
context 'enabled' do
let(:selinux) { true }
it { should contain_selboolean('allow_httpd_mod_auth_pam') }
it { should contain_selboolean('httpd_dbus_sssd') }
end
context 'disabled' do
let(:selinux) { false }
it { should_not contain_selboolean('allow_httpd_mod_auth_pam') }
it { should_not contain_selboolean('httpd_dbus_sssd') }
end
end
has a similar pattern, but that entire class is already only run on the Red Hat OS family.

@alexjfisher
Copy link
Contributor

puppet-foreman/spec/classes/foreman_config_ipa_spec.rb

Lines 58 to 74 in 63bba21

context 'with SELinux' do
let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }
context 'enabled' do
let(:selinux) { true }
it { should contain_selboolean('allow_httpd_mod_auth_pam') }
it { should contain_selboolean('httpd_dbus_sssd') }
end
context 'disabled' do
let(:selinux) { false }
it { should_not contain_selboolean('allow_httpd_mod_auth_pam') }
it { should_not contain_selboolean('httpd_dbus_sssd') }
end
end

has a similar pattern, but that entire class is already only run on the Red Hat OS family.

oh, ok. Seemed a bit redundant to execute the tests on Debian systems though. Don't they take long enough already?

@alexjfisher
Copy link
Contributor

puppet-foreman/spec/classes/foreman_config_ipa_spec.rb

Lines 58 to 74 in 63bba21

context 'with SELinux' do
let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }
context 'enabled' do
let(:selinux) { true }
it { should contain_selboolean('allow_httpd_mod_auth_pam') }
it { should contain_selboolean('httpd_dbus_sssd') }
end
context 'disabled' do
let(:selinux) { false }
it { should_not contain_selboolean('allow_httpd_mod_auth_pam') }
it { should_not contain_selboolean('httpd_dbus_sssd') }
end
end

has a similar pattern, but that entire class is already only run on the Red Hat OS family.

oh, ok. Seemed a bit redundant to execute the tests on Debian systems though. Don't they take long enough already?

EDIT: I see. You still need to set {'selinux' => {'enabled' => selinux}}) } as that wouldn't be the default even in RedHat.

@alexjfisher
Copy link
Contributor

@bastelfreak Maybe just skip the lot when osfamily != RedHat, to not waste time.

@bastelfreak
Copy link
Member Author

@alexjfisher added it

alexjfisher
alexjfisher requested changes Oct 18, 2020
View reviewed changes
manifests/init.pp
@@ -199,6 +199,8 @@
#
# $rails_cache_store:: Set rails cache store
#
# $manage_selinux_booleans:: If true AND selinux is enabled on the node, set httpd_can_network_connect so apache works properly
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about

puppet-foreman/manifests/config.pp

Line 157 in 63bba21

selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']:
?

The name of this parameter would suggest when setting to false all selinux_booleans won't be managed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How should I change it? manage_apache_selinux_boolean? manage_httpd_can_network_connect_boolean?

@ekohl
Copy link
Member

ekohl commented Oct 19, 2020

How about the alternative and use ensure_resource?

@ekohl
Copy link
Member

ekohl commented Jul 9, 2021

This has been stale for a while. What should we do with this?

@kBite
Copy link

kBite commented Nov 2, 2022

@ekohl / @alexjfisher Is this just about naming the new parameter? In this case I'd create a new PR based on @bastelfreak's and rebased against master. Btw.: I'd suggest manage_httpd_selinux_boolean as selbooleans also have httpd in their names.

@ekohl
Copy link
Member

ekohl commented Nov 4, 2022

@kBite I think it's about naming and consistency. As @alexjfisher pointed out: the current name implies all booleans are managed. Either the parameter name should by changed to imply it only manages a specific boolean or the parameter should manage all booleans.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexjfisher alexjfisher alexjfisher requested changes

@mmerfort mmerfort mmerfort approved these changes

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
Enhancement Needs testing Waiting on contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bastelfreak @ekohl @alexjfisher @kBite @mmerfort @theforeman-bot