tripleo

SELinux is set to "permissive" too late in the deploy

Bug #1821178 reported by Cédric Jeanneret on 2019-03-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Emilien Macchi	tripleo stein-rc1

Bug Description

Hello,

Currently, selinux is managed by puppet, and kicks in too late in the deploy. We want to move away from puppet and manage it with pure ansible, at the earliest possible step.

This is linked to https://launchpad.net/bugs/1821025

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/645238

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-22: Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/645477

OpenStack Infra (hudson-openstack) on 2019-03-22

Changed in tripleo:
assignee:	Cédric Jeanneret (cjeanner) → Emilien Macchi (emilienm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-25: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/645238
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d9df3c0ab09bab44f389c8c868470a3df4a0d8ff
Submitter: Zuul
Branch: master

commit d9df3c0ab09bab44f389c8c868470a3df4a0d8ff
Author: Cédric Jeanneret <email address hidden>
Date: Thu Mar 21 15:11:13 2019 +0100

Ensure we configure SELinux at the earliest stage.

    Prior this commit, SELinux was configured by puppet, and this
    happens way too late. Here we should get a proper SELinux configuration
    at the right time.

    SELinux management is also removed from puppet with this commit:
    https://review.openstack.org/#/c/645477/
    We just keep the "semodule" and "sebool" part within puppet. For now.

    Related-Bug: #1821025
    Closes-Bug: #1821178
    Change-Id: Ibd7b80b2cc0b09b63b17f1ba3a9b9cc2de728c57

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-26: Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/645477
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=f4e5f1c89fe6f3ba92e5801ea7a10be924ab7fc3
Submitter: Zuul
Branch: master

commit f4e5f1c89fe6f3ba92e5801ea7a10be924ab7fc3
Author: Cédric Jeanneret <email address hidden>
Date: Fri Mar 22 07:24:09 2019 +0100

Unmanage SELinux within puppet

Since [1] we manage SELinux state with ansible, at an earlier stage.

[1] https://review.openstack.org/645238

    Depends-On: https://review.openstack.org/645238
    Change-Id: I1b4cc5c510793d5fc908c8369a2f6a06c4ccd886
    Related-Bug: #1821178
    Related-Bug: #1821025

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-18: Fix included in openstack/tripleo-heat-templates 10.5.0

This issue was fixed in the openstack/tripleo-heat-templates 10.5.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.