summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFabien Boucher <fboucher@redhat.com>2020-03-13 17:58:33 +0100
committerFabien Boucher <fboucher@redhat.com>2020-03-13 17:58:37 +0100
commitddfa534518a31d146517e8bbeee0e3b06f0550bc (patch)
treed5aa4076b135ab8f368c7c1bf9b9d2dfd2f7f7e0
parent5952ce06eba051ff1f6b47793b848f13a8b9ad55 (diff)
Add selinux_mode and set fedora-rawhide image selinux permissive
Could be reset to enforcing when https://bugzilla.redhat.com/show_bug.cgi?id=1813388 is fixed. Change-Id: Ie8dc7c28634f2ce9f762d27f0e20a5202c00be96
-rw-r--r--nodepool/virt_images/cloud-fedora-rawhide.yaml2
-rw-r--r--nodepool/virt_images/roles/base/defaults/main.yaml1
-rw-r--r--nodepool/virt_images/roles/base/tasks/main.yaml1
3 files changed, 4 insertions, 0 deletions
diff --git a/nodepool/virt_images/cloud-fedora-rawhide.yaml b/nodepool/virt_images/cloud-fedora-rawhide.yaml
index 9ec9b656..46aae3d5 100644
--- a/nodepool/virt_images/cloud-fedora-rawhide.yaml
+++ b/nodepool/virt_images/cloud-fedora-rawhide.yaml
@@ -4,6 +4,8 @@
vars:
image: Fedora-Cloud-Base-Rawhide.x86_64.qcow2
memsize: 1024
+ # TODO: Remove permissive when fixed https://bugzilla.redhat.com/show_bug.cgi?id=1813388
+ selinux_mode: permissive
extra_packages:
# Extra system tools
- pigz
diff --git a/nodepool/virt_images/roles/base/defaults/main.yaml b/nodepool/virt_images/roles/base/defaults/main.yaml
index 376b2060..953718e2 100644
--- a/nodepool/virt_images/roles/base/defaults/main.yaml
+++ b/nodepool/virt_images/roles/base/defaults/main.yaml
@@ -2,6 +2,7 @@
image_cache_dir: "/var/cache/nodepool"
image_wipe_cache: False
memsize: 2048
+selinux_mode: enforcing
base_packages:
- traceroute
- iproute
diff --git a/nodepool/virt_images/roles/base/tasks/main.yaml b/nodepool/virt_images/roles/base/tasks/main.yaml
index 966dfaf4..49224fba 100644
--- a/nodepool/virt_images/roles/base/tasks/main.yaml
+++ b/nodepool/virt_images/roles/base/tasks/main.yaml
@@ -74,3 +74,4 @@
- "virt-customize -m {{ memsize }} -a {{ image_file }}"
- "--selinux-relabel"
- "--install '{{ base_packages | join(',') }}'"
+ - "--run-command 'sed -e s/^SELINUX=.*/SELINUX={{ selinux_mode | default(enforcing) }}/ -i /etc/selinux/config'"