From 99ad87babd43c95dc2787ba7e0301b3d2b650ab9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 10 Mar 2020 13:44:23 +0100
Subject: [PATCH 1/3] Fix description of sysctl rules.
As there is no way how to make the project aware of sysctl parameter defaults
in Linux upstream kernel or in specific Linux distributions,
the parameter has to be explicitly specified in a config file.
---
shared/macros.jinja | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/macros.jinja b/shared/macros.jinja
index 8a25acc937..ce27536dc2 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -602,8 +602,8 @@ ocil_clause: "the correct value is not returned"
run the following command:
<pre>$ sudo sysctl -w {{{ sysctl }}}={{{ value }}}</pre>
- If this is not the system default value, add the following line to a file in the
- directory <tt>/etc/sysctl.d</tt>:
+ To make sure that the setting is persistent,
+ add the following line to a file in the directory <tt>/etc/sysctl.d</tt>:
<pre>{{{ sysctl }}} = {{{ value }}}</pre>
{{%- endmacro %}}
From 5bffa9dc3d62f67364abb034b7da877935156764 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 11 Mar 2020 16:14:13 +0100
Subject: [PATCH 2/3] Improved the OCIL entry for sysctl rules.
---
shared/macros.jinja | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/shared/macros.jinja b/shared/macros.jinja
index ce27536dc2..f81dbc7de6 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -577,15 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled"
{{% macro ocil_sysctl_option_value(sysctl, value) -%}}
- The status of the <code>{{{ sysctl }}}</code> kernel parameter can be queried
- by running the following command:
- <pre>$ sysctl {{{ sysctl }}}</pre>
- The output of the command should indicate a value of <code>{{{ value }}}</code>.
- If this value is not the default value, investigate how it could have been
- adjusted at runtime, and verify it is not set improperly. This has to be checked
- in all files in the <tt>/etc/sysctl.d</tt> directory and the deprecated
- <code>/etc/sysctl.conf</code>. You can verify this by running the following command:
+ The persistent kernel parameter configuration is performed by specifying the appropriate
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+ Verify that there is not any existing incorrect configuration by executing the following command:
+ <pre>$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+ If any other assignments that
+ <pre>{{{ sysctl }}} = {{{ value }}}</pre>
+ are found, or the correct assignment is duplicated, remove those offending lines from respective files,
+ and make sure that exactly one file in
+ <code>/etc/sysctl.d</code> contains <code>{{{ sysctl }}} = {{{ value }}}</code>, and that one assignment
+ is returned when
<pre>$ grep -r {{{ sysctl }}} /etc/sysctl.conf /etc/sysctl.d</pre>
+ is executed.
{{%- endmacro %}}
From 5b5edc64773be690e4046dc88de9407d7c470702 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 12 Mar 2020 15:27:26 +0100
Subject: [PATCH 3/3] Improved the text based on the reviewer feedback.
---
shared/macros.jinja | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/shared/macros.jinja b/shared/macros.jinja
index f81dbc7de6..edbaeeb56c 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -577,11 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled"
{{% macro ocil_sysctl_option_value(sysctl, value) -%}}
+ The runtime status of the <code>{{{ sysctl }}}</code> kernel parameter can be queried
+ by running the following command:
+ <pre>$ sysctl {{{ sysctl }}}</pre>
+ The output of the command should indicate a value of <code>{{{ value }}}</code>.
+ The preferable way how to assure the runtime compliance is to have
+ correct persistent configuration, and rebooting the system.
+
The persistent kernel parameter configuration is performed by specifying the appropriate
assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
Verify that there is not any existing incorrect configuration by executing the following command:
<pre>$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
- If any other assignments that
+ If any assignments other than
<pre>{{{ sysctl }}} = {{{ value }}}</pre>
are found, or the correct assignment is duplicated, remove those offending lines from respective files,
and make sure that exactly one file in