|
 |
dac76a |
From 99ad87babd43c95dc2787ba7e0301b3d2b650ab9 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
dac76a |
Date: Tue, 10 Mar 2020 13:44:23 +0100
|
|
|
dac76a |
Subject: [PATCH 1/3] Fix description of sysctl rules.
|
|
|
dac76a |
|
|
|
dac76a |
As there is no way how to make the project aware of sysctl parameter defaults
|
|
|
dac76a |
in Linux upstream kernel or in specific Linux distributions,
|
|
|
dac76a |
the parameter has to be explicitly specified in a config file.
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/macros.jinja | 4 ++--
|
|
|
dac76a |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
|
|
dac76a |
index 8a25acc937..ce27536dc2 100644
|
|
|
dac76a |
--- a/shared/macros.jinja
|
|
|
dac76a |
+++ b/shared/macros.jinja
|
|
|
dac76a |
@@ -602,8 +602,8 @@ ocil_clause: "the correct value is not returned"
|
|
|
dac76a |
run the following command:
|
|
|
dac76a |
$ sudo sysctl -w {{{ sysctl }}}={{{ value }}}
|
|
|
dac76a |
|
|
|
dac76a |
- If this is not the system default value, add the following line to a file in the
|
|
|
dac76a |
- directory <tt>/etc/sysctl.d</tt>:
|
|
|
dac76a |
+ To make sure that the setting is persistent,
|
|
|
dac76a |
+ add the following line to a file in the directory <tt>/etc/sysctl.d</tt>:
|
|
|
dac76a |
{{{ sysctl }}} = {{{ value }}}
|
|
|
dac76a |
{{%- endmacro %}}
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
From 5bffa9dc3d62f67364abb034b7da877935156764 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
dac76a |
Date: Wed, 11 Mar 2020 16:14:13 +0100
|
|
|
dac76a |
Subject: [PATCH 2/3] Improved the OCIL entry for sysctl rules.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/macros.jinja | 19 +++++++++++--------
|
|
|
dac76a |
1 file changed, 11 insertions(+), 8 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
|
|
dac76a |
index ce27536dc2..f81dbc7de6 100644
|
|
|
dac76a |
--- a/shared/macros.jinja
|
|
|
dac76a |
+++ b/shared/macros.jinja
|
|
|
dac76a |
@@ -577,15 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled"
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
{{% macro ocil_sysctl_option_value(sysctl, value) -%}}
|
|
|
dac76a |
- The status of the {{{ sysctl }}} kernel parameter can be queried
|
|
|
dac76a |
- by running the following command:
|
|
|
dac76a |
- $ sysctl {{{ sysctl }}}
|
|
|
dac76a |
- The output of the command should indicate a value of {{{ value }}}.
|
|
|
dac76a |
- If this value is not the default value, investigate how it could have been
|
|
|
dac76a |
- adjusted at runtime, and verify it is not set improperly. This has to be checked
|
|
|
dac76a |
- in all files in the <tt>/etc/sysctl.d</tt> directory and the deprecated
|
|
|
dac76a |
- /etc/sysctl.conf. You can verify this by running the following command:
|
|
|
dac76a |
+ The persistent kernel parameter configuration is performed by specifying the appropriate
|
|
|
dac76a |
+ assignment in any file located in the /etc/sysctl.d directory.
|
|
|
dac76a |
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
|
|
dac76a |
+ $ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
|
|
|
dac76a |
+ If any other assignments that
|
|
|
dac76a |
+ {{{ sysctl }}} = {{{ value }}}
|
|
|
dac76a |
+ are found, or the correct assignment is duplicated, remove those offending lines from respective files,
|
|
|
dac76a |
+ and make sure that exactly one file in
|
|
|
dac76a |
+ /etc/sysctl.d contains {{{ sysctl }}} = {{{ value }}}, and that one assignment
|
|
|
dac76a |
+ is returned when
|
|
|
dac76a |
$ grep -r {{{ sysctl }}} /etc/sysctl.conf /etc/sysctl.d
|
|
|
dac76a |
+ is executed.
|
|
|
dac76a |
{{%- endmacro %}}
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
From 5b5edc64773be690e4046dc88de9407d7c470702 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
dac76a |
Date: Thu, 12 Mar 2020 15:27:26 +0100
|
|
|
dac76a |
Subject: [PATCH 3/3] Improved the text based on the reviewer feedback.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/macros.jinja | 9 ++++++++-
|
|
|
dac76a |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
|
|
dac76a |
index f81dbc7de6..edbaeeb56c 100644
|
|
|
dac76a |
--- a/shared/macros.jinja
|
|
|
dac76a |
+++ b/shared/macros.jinja
|
|
|
dac76a |
@@ -577,11 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled"
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
{{% macro ocil_sysctl_option_value(sysctl, value) -%}}
|
|
|
dac76a |
+ The runtime status of the {{{ sysctl }}} kernel parameter can be queried
|
|
|
dac76a |
+ by running the following command:
|
|
|
dac76a |
+ $ sysctl {{{ sysctl }}}
|
|
|
dac76a |
+ The output of the command should indicate a value of {{{ value }}}.
|
|
|
dac76a |
+ The preferable way how to assure the runtime compliance is to have
|
|
|
dac76a |
+ correct persistent configuration, and rebooting the system.
|
|
|
dac76a |
+
|
|
|
dac76a |
The persistent kernel parameter configuration is performed by specifying the appropriate
|
|
|
dac76a |
assignment in any file located in the /etc/sysctl.d directory.
|
|
|
dac76a |
Verify that there is not any existing incorrect configuration by executing the following command:
|
|
|
dac76a |
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
|
|
|
dac76a |
- If any other assignments that
|
|
|
dac76a |
+ If any assignments other than
|
|
|
dac76a |
{{{ sysctl }}} = {{{ value }}}
|
|
|
dac76a |
are found, or the correct assignment is duplicated, remove those offending lines from respective files,
|
|
|
dac76a |
and make sure that exactly one file in
|