From 5eebab3fc1973fdc4f2bc57ca0c7ac904bac249e Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 2 Nov 2020 10:49:22 +0100 Subject: [PATCH] Force SELinux to be in permissive mode The Fedora based ramdisk is outright broken with SELinux enforcing. TripleO actually ships its ramdisks with selinux-permissive, let's do the same. Change-Id: Icfec4b8109a0ddefeb0f200c3fd1f1e2de104839 --- dib/ironic-python-agent-ramdisk/element-deps | 1 + doc/source/admin/dib.rst | 3 +-- releasenotes/notes/selinux-permissive-a059f42bb66373a1.yaml | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/selinux-permissive-a059f42bb66373a1.yaml diff --git a/dib/ironic-python-agent-ramdisk/element-deps b/dib/ironic-python-agent-ramdisk/element-deps index 0f0d86e..28e5a3c 100644 --- a/dib/ironic-python-agent-ramdisk/element-deps +++ b/dib/ironic-python-agent-ramdisk/element-deps @@ -6,5 +6,6 @@ package-installs pip-and-virtualenv pkg-map runtime-ssh-host-keys +selinux-permissive source-repositories svc-map diff --git a/doc/source/admin/dib.rst b/doc/source/admin/dib.rst index 3a6b6e6..abfab8d 100644 --- a/doc/source/admin/dib.rst +++ b/doc/source/admin/dib.rst @@ -123,8 +123,7 @@ The *dynamic-login* element allows the operator to inject an SSH key at boot time via the kernel command line parameters: * Add ``sshkey="ssh-rsa "`` to ``pxe_append_params`` - setting in the ``ironic.conf`` file. Disabling SELinux is required for - systems where it is enabled, it can be done with ``selinux=0``. + setting in the ``ironic.conf`` file. .. warning:: Quotation marks around the public key are important! diff --git a/releasenotes/notes/selinux-permissive-a059f42bb66373a1.yaml b/releasenotes/notes/selinux-permissive-a059f42bb66373a1.yaml new file mode 100644 index 0000000..1c963be --- /dev/null +++ b/releasenotes/notes/selinux-permissive-a059f42bb66373a1.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + The DIB-based ramdisk is now always built with SELinux set to permissive. + Enabling SELinux may result in broken ramdisks and does not make much + sense for IPA anyway.