Disable selinux defaults enforcement in File/Concat resources

Last selinux-policy in CentOS Stream adds patch for [1] which modifies default context for symlinks under /etc/httpd. That's breaking idempotency for files created with File/Concat resources under that directory because of [2]. This patch is disabling default selinux context enforcement for all File/Concat resources until we have a fix for [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1900650 [2] https://tickets.puppetlabs.com/browse/PUP-7559 Change-Id: Ic92889cc480c316df9454186ffadf3a77fd8ed26
openstack · Jan 11, 2021 · 0f00dde · 0f00dde
1 parent 01f74c0
commit 0f00dde
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 0 deletions.
diff --git a/fixtures/scenario001.pp b/fixtures/scenario001.pp
@@ -22,6 +22,13 @@
   $ssl = true
 }
 
+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
   'Debian': {
     $ipv6                    = false

diff --git a/fixtures/scenario002.pp b/fixtures/scenario002.pp
@@ -22,6 +22,13 @@
   $ssl = true
 }
 
+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
   'Debian': {
     $ipv6             = false

diff --git a/fixtures/scenario003.pp b/fixtures/scenario003.pp
@@ -22,6 +22,13 @@
   $ssl = true
 }
 
+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
   'Debian': {
     $ipv6            = false

diff --git a/fixtures/scenario004.pp b/fixtures/scenario004.pp
@@ -22,6 +22,13 @@
   $ssl = true
 }
 
+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 if $::operatingsystem == 'Ubuntu' {
   $ipv6                = false
   # Watcher packages are not available in Ubuntu repository.