Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Make selboolean management optional #849

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

bastelfreak
Copy link
Member

No description provided.

Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some bikeshedding: manage_selinux could also imply foreman-selinux is not installed. How about manage_selinux_booleans?

manifests/init.pp Outdated Show resolved Hide resolved
manifests/init.pp Outdated Show resolved Hide resolved
manifests/init.pp Outdated Show resolved Hide resolved
manifests/init.pp Outdated Show resolved Hide resolved
@bastelfreak bastelfreak force-pushed the selinux branch 3 times, most recently from 91f6227 to 5472aa1 Compare October 17, 2020 12:36
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@ekohl
Copy link
Member

ekohl commented Oct 18, 2020

It does look like the tests fail because of this. Mid taking a look?

@@ -15,6 +15,31 @@
end
end

describe 'without manage_selinux_booleans' do
it 'should contain the selinux resource' do
should contain_selboolean('httpd_can_network_connect')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not on systems that don't support SELinux it won't...

@ekohl
Copy link
Member

ekohl commented Oct 18, 2020

context 'with SELinux' do
let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }
context 'enabled' do
let(:selinux) { true }
it { should contain_selboolean('allow_httpd_mod_auth_pam') }
it { should contain_selboolean('httpd_dbus_sssd') }
end
context 'disabled' do
let(:selinux) { false }
it { should_not contain_selboolean('allow_httpd_mod_auth_pam') }
it { should_not contain_selboolean('httpd_dbus_sssd') }
end
end
has a similar pattern, but that entire class is already only run on the Red Hat OS family.

@alexjfisher
Copy link
Contributor

context 'with SELinux' do
let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }
context 'enabled' do
let(:selinux) { true }
it { should contain_selboolean('allow_httpd_mod_auth_pam') }
it { should contain_selboolean('httpd_dbus_sssd') }
end
context 'disabled' do
let(:selinux) { false }
it { should_not contain_selboolean('allow_httpd_mod_auth_pam') }
it { should_not contain_selboolean('httpd_dbus_sssd') }
end
end

has a similar pattern, but that entire class is already only run on the Red Hat OS family.

oh, ok. Seemed a bit redundant to execute the tests on Debian systems though. Don't they take long enough already?

@alexjfisher
Copy link
Contributor

context 'with SELinux' do
let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }
context 'enabled' do
let(:selinux) { true }
it { should contain_selboolean('allow_httpd_mod_auth_pam') }
it { should contain_selboolean('httpd_dbus_sssd') }
end
context 'disabled' do
let(:selinux) { false }
it { should_not contain_selboolean('allow_httpd_mod_auth_pam') }
it { should_not contain_selboolean('httpd_dbus_sssd') }
end
end

has a similar pattern, but that entire class is already only run on the Red Hat OS family.

oh, ok. Seemed a bit redundant to execute the tests on Debian systems though. Don't they take long enough already?

EDIT: I see. You still need to set {'selinux' => {'enabled' => selinux}}) } as that wouldn't be the default even in RedHat.

@alexjfisher
Copy link
Contributor

@bastelfreak Maybe just skip the lot when osfamily != RedHat, to not waste time.

@bastelfreak
Copy link
Member Author

@alexjfisher added it

@@ -199,6 +199,8 @@
#
# $rails_cache_store:: Set rails cache store
#
# $manage_selinux_booleans:: If true AND selinux is enabled on the node, set httpd_can_network_connect so apache works properly
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about

selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']:
?

The name of this parameter would suggest when setting to false all selinux_booleans won't be managed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How should I change it? manage_apache_selinux_boolean? manage_httpd_can_network_connect_boolean?

@ekohl
Copy link
Member

ekohl commented Oct 19, 2020

How about the alternative and use ensure_resource?

@ekohl
Copy link
Member

ekohl commented Jul 9, 2021

This has been stale for a while. What should we do with this?

@kBite
Copy link

kBite commented Nov 2, 2022

@ekohl / @alexjfisher Is this just about naming the new parameter? In this case I'd create a new PR based on @bastelfreak's and rebased against master. Btw.: I'd suggest manage_httpd_selinux_boolean as selbooleans also have httpd in their names.

@ekohl
Copy link
Member

ekohl commented Nov 4, 2022

@kBite I think it's about naming and consistency. As @alexjfisher pointed out: the current name implies all booleans are managed. Either the parameter name should by changed to imply it only manages a specific boolean or the parameter should manage all booleans.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants