Ignore SELinux defaults for systemd on RHEL based #856
Conversation
|
@tobias-urdin can you rebase / squash, and resolve the rubocop failure? Are there any security implications of this change? |
tobias-urdin
force-pushed
the
selinux_ignore_defaults
branch
from
30e87f8 to
4d68213
Compare
|
There is no security implications, this simply makes sure the systemd module doesn't overwrite the SELinux contexts the unit file that the installed package drops. |
tobias-urdin
changed the title
There was a problem hiding this comment.
So I guess this is due to https://tickets.puppetlabs.com/browse/PUP-10548. It would be good to refer to that if that's the case.
The SELinux labels needs to be ignored by the systemd module or it will not be idempotent. Bump the systemd minimum version to 2.10.0 Closes: voxpupuli#836
tobias-urdin
force-pushed
the
selinux_ignore_defaults
branch
from
4d68213 to
85f3be4
Compare
|
Fixed, the bug you linked is not really related. The issue occurs because the RabbitMQ packages built by the CentOS Messaging SIG drops the systemd unit file with the rabbitmq_unit_t context, the systemd modules then tries to overwrite that to systemd_unit_t. |
|
So the RabbitMQ packages don't even provide the content so a restorecon would also revert it back to Other than that the PR looks good to me. |
|
It's not really a package bug, it's more a regression in puppet-rabbitmq that was introduced when moving to the systemd module. See the commit message on the fix back in 2015 [1]. [1] 0227f76 |
|
Ah, looks like I should have read the original issue. I'm always a big fan of the commit message including all of that info. |
|
Anything missing here or are we good? |
|
an approving review (from somebody competent in SELinux / RHEL) |
It makes sure it's idempotent on RHEL based, needs an increase in systemd dependency to a minimum
versions of 2.10.0 to include the changes there.
Fixes: #836