From 0f00dde75739314270c493528b2160bb80e60ca2 Mon Sep 17 00:00:00 2001 From: Alfredo Moralejo Date: Fri, 8 Jan 2021 17:24:24 +0100 Subject: [PATCH] Disable selinux defaults enforcement in File/Concat resources Last selinux-policy in CentOS Stream adds patch for [1] which modifies default context for symlinks under /etc/httpd. That's breaking idempotency for files created with File/Concat resources under that directory because of [2]. This patch is disabling default selinux context enforcement for all File/Concat resources until we have a fix for [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1900650 [2] https://tickets.puppetlabs.com/browse/PUP-7559 Change-Id: Ic92889cc480c316df9454186ffadf3a77fd8ed26 --- fixtures/scenario001.pp | 7 +++++++ fixtures/scenario002.pp | 7 +++++++ fixtures/scenario003.pp | 7 +++++++ fixtures/scenario004.pp | 7 +++++++ 4 files changed, 28 insertions(+) diff --git a/fixtures/scenario001.pp b/fixtures/scenario001.pp index 9a9f639b0..b29b881b8 100644 --- a/fixtures/scenario001.pp +++ b/fixtures/scenario001.pp @@ -22,6 +22,13 @@ $ssl = true } +if $::osfamily == 'RedHat' { + # (amoralej) - disable selinux defaults until + # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed + Concat { selinux_ignore_defaults => true } + File { selinux_ignore_defaults => true } +} + case $::osfamily { 'Debian': { $ipv6 = false diff --git a/fixtures/scenario002.pp b/fixtures/scenario002.pp index c9f33ffbb..01996542d 100644 --- a/fixtures/scenario002.pp +++ b/fixtures/scenario002.pp @@ -22,6 +22,13 @@ $ssl = true } +if $::osfamily == 'RedHat' { + # (amoralej) - disable selinux defaults until + # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed + Concat { selinux_ignore_defaults => true } + File { selinux_ignore_defaults => true } +} + case $::osfamily { 'Debian': { $ipv6 = false diff --git a/fixtures/scenario003.pp b/fixtures/scenario003.pp index b7f4a2480..50a62f7d2 100644 --- a/fixtures/scenario003.pp +++ b/fixtures/scenario003.pp @@ -22,6 +22,13 @@ $ssl = true } +if $::osfamily == 'RedHat' { + # (amoralej) - disable selinux defaults until + # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed + Concat { selinux_ignore_defaults => true } + File { selinux_ignore_defaults => true } +} + case $::osfamily { 'Debian': { $ipv6 = false diff --git a/fixtures/scenario004.pp b/fixtures/scenario004.pp index 374e6b0f3..9fd5f44f8 100644 --- a/fixtures/scenario004.pp +++ b/fixtures/scenario004.pp @@ -22,6 +22,13 @@ $ssl = true } +if $::osfamily == 'RedHat' { + # (amoralej) - disable selinux defaults until + # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed + Concat { selinux_ignore_defaults => true } + File { selinux_ignore_defaults => true } +} + if $::operatingsystem == 'Ubuntu' { $ipv6 = false # Watcher packages are not available in Ubuntu repository.