Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-15871

fix: Use `ignore_selinux_state` module option

    • rhel-system-roles-1.23.0-2.1.el8
    • None
    • None
    • rhel-sst-system-roles
    • 11
    • 16
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Enhancement
    • Hide
      .`selinux` role now supports configuring SELinux in disabled mode

      With this update, the `selinux` RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.
      Show
      .`selinux` role now supports configuring SELinux in disabled mode With this update, the `selinux` RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.
    • Done
    • None

      It is possible to configure SELinux on nodes with SELinux disabled before they're switch to permissive/enforcing. The only requirement is that targeted SELinux policy (or a policy configured in /etc/selinux/config) needs to be installed.

      Fixes: https://github.com/linux-system-roles/selinux/issues/188

      Note that boolean settings doesn't work work even with `ignore_selinux_state=true` - it's a bug in seboolean module which uses `selinux.security_get_boolean_names()` instead of `seobject` API from semanage.

      Enhancement: SELinux ports, fcontexts, booleans mappings can be configured on nodes with SELinux disabled.

      Reason: It should be possible to configure SELinux - ports, fcontexts, booleans - on nodes with SELinux disabled before they're switch to permissive/enforcing.

      Result: It is possible to configure SELinux on nodes with SELinux disabled before they're switch to permissive/enforcing.

      Issue Tracker Tickets (Jira or BZ if any):

              rmeggins@redhat.com Richard Megginson
              rmeggins@redhat.com Richard Megginson
              Richard Megginson Richard Megginson
              David Jez David Jez
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: