diff --git a/.gitignore b/.gitignore index 6073b13..23e2df1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/kdump-0.1.tar.gz -SOURCES/network-b9b6f0a.tar.gz +SOURCES/network-b856c74.tar.gz SOURCES/postfix-0.1.tar.gz -SOURCES/selinux-0.1.tar.gz +SOURCES/selinux-ebcb133.tar.gz SOURCES/timesync-0.1.tar.gz diff --git a/.rhel-system-roles.metadata b/.rhel-system-roles.metadata index 9bed809..95a6e71 100644 --- a/.rhel-system-roles.metadata +++ b/.rhel-system-roles.metadata @@ -1,5 +1,5 @@ f565f627f199d146cda3404de5b65c5f50e3702a SOURCES/kdump-0.1.tar.gz -3433e21c82dbe0bf1c4a334a98625cc682b4101b SOURCES/network-b9b6f0a.tar.gz +ea5db7725d436ebee7c99fdbf13b161803ec5665 SOURCES/network-b856c74.tar.gz 66c82331f4ac9598c506c3999965b4d07dbfe49d SOURCES/postfix-0.1.tar.gz -b25009fdba1af0c1eec922df01f38d85ffb401f9 SOURCES/selinux-0.1.tar.gz +41775f2004b421140cf6deb0f28284be21e7bdfa SOURCES/selinux-ebcb133.tar.gz 47b5287fbbf4e268414d28d503fe9be8b72c7747 SOURCES/timesync-0.1.tar.gz diff --git a/SOURCES/fix-selinux-disabled-pr2.diff b/SOURCES/fix-selinux-disabled-pr2.diff deleted file mode 100644 index 9838261..0000000 --- a/SOURCES/fix-selinux-disabled-pr2.diff +++ /dev/null @@ -1,117 +0,0 @@ -diff --git a/tasks/main.yml b/tasks/main.yml -index e10b2f2..7d7479d 100644 ---- a/tasks/main.yml -+++ b/tasks/main.yml -@@ -14,9 +14,6 @@ - state: present - when: ansible_distribution == "Fedora" - --- name: Drop all local modifications first -- shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i - -- - - name: Set permanent SELinux mode - selinux: policy={{ SELinux_type }} state={{ SELinux_mode }} - when: SELinux_mode is defined -@@ -25,6 +22,13 @@ - command: /usr/sbin/setenforce {{ SELinux_mode }} - when: SELinux_mode is defined and SELinux_change_running is defined - -+- name: Drop all local modifications -+ shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i - -+ -+- name: Reload SELinux policy -+ command: semodule -R -+ when: ansible_selinux.status != "disabled" -+ - - name: Set SELinux booleans - seboolean: - name: "{{ item.name }}" -diff --git a/test/selinux.config b/test/selinux.config -new file mode 100644 -index 0000000..a520b96 ---- /dev/null -+++ b/test/selinux.config -@@ -0,0 +1,14 @@ -+ -+# This file controls the state of SELinux on the system. -+# SELINUX= can take one of these three values: -+# enforcing - SELinux security policy is enforced. -+# permissive - SELinux prints warnings instead of enforcing. -+# disabled - No SELinux policy is loaded. -+SELINUX=disabled -+# SELINUXTYPE= can take one of these three values: -+# targeted - Targeted processes are protected, -+# minimum - Modification of targeted policy. Only selected processes are protected. -+# mls - Multi Level Security protection. -+SELINUXTYPE=targeted -+ -+ -diff --git a/test/test_selinux_disabled.yml b/test/test_selinux_disabled.yml -new file mode 100644 -index 0000000..b13bfef ---- /dev/null -+++ b/test/test_selinux_disabled.yml -@@ -0,0 +1,48 @@ -+ -+- name: Ensure the default is targeted, enforcing, without local modifications -+ hosts: all -+ become: true -+ vars: -+ SELinux_type: targeted -+ SELinux_mode: enforcing -+ -+ pre_tasks: -+ - name: Backup original /etc/selinux/config -+ copy: -+ remote_src: true -+ src: /etc/selinux/config -+ dest: /etc/selinux/config.test_selinux_disabled -+ - name: Upload testing /etc/selinux/config -+ copy: -+ src: selinux.config -+ dest: /etc/selinux/config -+ - name: Switch to permissive to allow login when selinuxfs is not mounted -+ command: setenforce 0 -+ when: ansible_selinux.status != "disabled" -+ - name: Get selinuxfs mountpoint -+ shell: findmnt -n -t selinuxfs --output=target -+ register: selinux_mountpoint -+ - name: Umount {{ selinux_mountpoint.stdout }} to emulate SELinux disabled system -+ command: umount {{ selinux_mountpoint.stdout }} -+ -+ roles: -+ - selinux -+ -+ tasks: -+ - name: Mount {{ selinux_mountpoint.stdout }} back to system -+ command: mount -t selinuxfs selinuxfs {{ selinux_mountpoint.stdout }} -+ - name: Switch back to enforcing -+ command: setenforce 1 -+ - name: Gather facts again -+ setup: -+ - name: Check SELinux config mode -+ assert: -+ that: "{{ ansible_selinux.config_mode == 'enforcing' }}" -+ mgs: "SELinux config mode should be enforcing instead of {{ ansible_selinux.config_mode }}" -+ - name: Restore original /etc/selinux/config -+ copy: -+ remote_src: true -+ dest: /etc/selinux/config -+ src: /etc/selinux/config.test_selinux_disabled -+ - name: Remove /etc/selinux/config backup -+ command: rm /etc/selinux/config.test_selinux_disabled -diff --git a/vars/main.yml b/vars/main.yml -index 74ae42f..4dcb80d 100644 ---- a/vars/main.yml -+++ b/vars/main.yml -@@ -1,6 +1,6 @@ - --- - drop_local_modifications: | -- boolean -D -- login -D -- port -D -- fcontext -D -+ boolean -D -N -+ login -D -N -+ port -D -N -+ fcontext -D -N diff --git a/SOURCES/rhel-system-roles-network-prefix.diff b/SOURCES/rhel-system-roles-network-prefix.diff index 8964fea..d2a22dc 100644 --- a/SOURCES/rhel-system-roles-network-prefix.diff +++ b/SOURCES/rhel-system-roles-network-prefix.diff @@ -43,7 +43,7 @@ index ca1db67..1054e70 100644 --- a/examples/infiniband.yml +++ b/examples/infiniband.yml @@ -21,4 +21,4 @@ - - 10.0.0.5/30 + - 198.51.100.133/30 roles: - - network diff --git a/SPECS/rhel-system-roles.spec b/SPECS/rhel-system-roles.spec index 76fcd69..9701f96 100644 --- a/SPECS/rhel-system-roles.spec +++ b/SPECS/rhel-system-roles.spec @@ -1,6 +1,6 @@ Name: rhel-system-roles Summary: Set of interfaces for unified system management -Version: 0.4 +Version: 0.5 Release: 1%{?dist} #Group: Development/Libraries @@ -18,17 +18,17 @@ License: GPLv3+ and MIT and BSD %global rolename1 postfix %global version1 0.1 -%global commit2 1e4a21f929455e5e76dda0b12867abaa63795ae7 +%global commit2 ebcb133649fb5aba5bf0b7a64f2db2b90aadda1b %global shortcommit2 %(c=%{commit2}; echo ${c:0:7}) %global rolename2 selinux -%global version2 0.1 +#%%global version2 0.1 %global commit3 33a1a8c349de10d6281ed83d4c791e9177d7a141 %global shortcommit3 %(c=%{commit3}; echo ${c:0:7}) %global rolename3 timesync %global version3 0.1 -%global commit5 b9b6f0a7969e400d8d6ba0ac97f69593aa1e8fa5 +%global commit5 b856c7481bf5274d419f71fb62029ea0044b3ec1 %global shortcommit5 %(c=%{commit5}; echo ${c:0:7}) %global rolename5 network #%%global version5 0.2 @@ -36,7 +36,7 @@ License: GPLv3+ and MIT and BSD Source: https://github.com/linux-system-roles/%{rolename0}/archive/%{version0}.tar.gz#/%{rolename0}-%{version0}.tar.gz Source1: https://github.com/linux-system-roles/%{rolename1}/archive/%{version1}.tar.gz#/%{rolename1}-%{version1}.tar.gz -Source2: https://github.com/linux-system-roles/%{rolename2}/archive/%{version2}.tar.gz#/%{rolename2}-%{version2}.tar.gz +Source2: https://github.com/linux-system-roles/%{rolename2}/archive/%{commit2}.tar.gz#/%{rolename2}-%{shortcommit2}.tar.gz Source3: https://github.com/linux-system-roles/%{rolename3}/archive/%{version3}.tar.gz#/%{rolename3}-%{version3}.tar.gz Source5: https://github.com/linux-system-roles/%{rolename5}/archive/%{commit5}.tar.gz#/%{rolename5}-%{shortcommit5}.tar.gz @@ -48,8 +48,6 @@ Patch2: rhel-system-roles-%{rolename2}-prefix.diff Patch3: rhel-system-roles-%{rolename3}-prefix.diff Patch5: rhel-system-roles-%{rolename5}-prefix.diff -Patch21: fix-selinux-disabled-pr2.diff - Url: https://github.com/linux-system-roles/ BuildArch: noarch @@ -66,9 +64,8 @@ using Ansible. cd %{rolename1}-%{version1} %patch1 -p1 cd .. -cd %{rolename2}-%{version2} +cd %{rolename2}-%{commit2} %patch2 -p1 -%patch21 -p1 cd .. cd %{rolename3}-%{version3} %patch3 -p1 @@ -84,7 +81,7 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles cp -pR %{rolename0}-%{version0} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolecompatprefix}%{rolename0} cp -pR %{rolename1}-%{version1} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolecompatprefix}%{rolename1} -cp -pR %{rolename2}-%{version2} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolecompatprefix}%{rolename2} +cp -pR %{rolename2}-%{commit2} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolecompatprefix}%{rolename2} cp -pR %{rolename3}-%{version3} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolecompatprefix}%{rolename3} cp -pR %{rolename5}-%{commit5} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolecompatprefix}%{rolename5} @@ -171,6 +168,13 @@ rmdir $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolecompatprefix}network/exampl %license %{_datadir}/ansible/roles/%{rolecompatprefix}network/COPYING %changelog +* Tue Oct 03 2017 Pavel Cahyna - 0.5-1 +- SELinux: fix policy reload when SELinux is disabled on CentOS/RHEL 6 + (bz#1493574) +- network: update to b856c7481bf5274d419f71fb62029ea0044b3ec1 : + makes the network role idempotent (bz#1476053) and fixes manual + network provider selection (bz#1485074). + * Mon Aug 28 2017 Pavel Cahyna - 0.4-1 - network: update to b9b6f0a7969e400d8d6ba0ac97f69593aa1e8fa5: ensure that state:absent followed by state:up works (bz#1478910), and change