Disable selinux defaults enforcement in File/Concat resources

Last selinux-policy in CentOS Stream adds patch for [1] which modifies default context for symlinks under /etc/httpd. That's breaking idempotency for files created with File/Concat resources under that directory because of [2]. This patch is disabling default selinux context enforcement for all File/Concat resources until we have a fix for [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1900650 [2] https://tickets.puppetlabs.com/browse/PUP-7559 Change-Id: Ic92889cc480c316df9454186ffadf3a77fd8ed26
2021-01-08 17:24:24 +01:00 · 2021-01-08 17:24:24 +01:00 · 0f00dde757
commit 0f00dde757
parent 01f74c0ba5
4 changed files with 28 additions and 0 deletions
--- a/fixtures/scenario001.pp
+++ b/fixtures/scenario001.pp
@ -22,6 +22,13 @@ if ($::os['name'] == 'Ubuntu') or ($::os['name'] == 'Fedora') or
  $ssl = true
 }

+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
  'Debian': {
    $ipv6                    = false
--- a/fixtures/scenario002.pp
+++ b/fixtures/scenario002.pp
@ -22,6 +22,13 @@ if ($::os['name'] == 'Ubuntu') or ($::os['name'] == 'Fedora') or
  $ssl = true
 }

+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
  'Debian': {
    $ipv6             = false
--- a/fixtures/scenario003.pp
+++ b/fixtures/scenario003.pp
@ -22,6 +22,13 @@ if ($::os['name'] == 'Ubuntu') or ($::os['name'] == 'Fedora') or
  $ssl = true
 }

+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 case $::osfamily {
  'Debian': {
    $ipv6            = false
--- a/fixtures/scenario004.pp
+++ b/fixtures/scenario004.pp
@ -22,6 +22,13 @@ if ($::os['name'] == 'Ubuntu') or ($::os['name'] == 'Fedora') or
  $ssl = true
 }

+if $::osfamily == 'RedHat' {
+  # (amoralej) - disable selinux defaults until
+  # https://tickets.puppetlabs.com/browse/PUP-7559 is fixed
+  Concat { selinux_ignore_defaults => true }
+  File { selinux_ignore_defaults => true }
+}
+
 if $::operatingsystem == 'Ubuntu' {
  $ipv6                = false
  # Watcher packages are not available in Ubuntu repository.