Clean up SELinux handling in acceptance testing. #2320
Conversation
|
Hello! 👋 This pull request has been open for a while and has had no recent activity. We've labelled it with If you are waiting on a response from us we will try and address your comments on a future Community Day. Alternatively, if it is no longer relevant to you please close the PR with a comment. Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error. |
ekohl
force-pushed
the
clean-up-selinux-in-acceptance
branch
from
86baa59 to
4d3e56e
Compare
ekohl
force-pushed
the
clean-up-selinux-in-acceptance
branch
from
4d3e56e to
751b8c7
Compare
This attempts to unify SELinux handling in the tests. It moves the package installation to the acceptance spec helper to reduce duplication. It then makes the set_apache_defaults line idempotent and restorecon_apache correctly chained. This works around [PUP-10548] which is that Puppet doesn't reload file contexts within a run. That means it must first create the file(s) and then run restorecon to get correct contexts. [PUP-10548]: https://tickets.puppetlabs.com/browse/PUP-10548
ekohl
force-pushed
the
clean-up-selinux-in-acceptance
branch
from
751b8c7 to
12ab304
Compare
|
I think this is now ready to merge. Still not ready to enforce SELinux, but at least it makes it work idempotently in permissive mode. That's a step forward. |
chelnak
left a comment
chelnak
left a comment
There was a problem hiding this comment.
Looks nice and clean to
Me.. however I'd like to leave it to @david22swan for the final approval and merge.
| path => '/bin:/usr/bin/:/sbin:/usr/sbin', | ||
| require => Package[$semanage_package], | ||
| } | ||
| exec { 'restorecon_apache': |
There was a problem hiding this comment.
Btw, the explicit restorecon is needed because of https://tickets.puppetlabs.com/browse/PUP-10548. Otherwise the file type would take care of it.
5 participants
This attempts to unify SELinux handling in the tests. It moves the package installation to the acceptance spec helper to reduce duplication. It then makes the set_apache_defaults line idempotent and restorecon_apache correctly chained. This works around PUP-10548 which is that Puppet doesn't reload file contexts within a run. That means it must first create the file(s) and then run restorecon to get correct contexts.