From 5bb482aa6dcc826839ab8d81163109565bb45b77 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 3 Jun 2020 11:24:03 +0200 Subject: [PATCH] Feature: Make selboolean management optional --- manifests/config.pp | 1 + manifests/config/apache.pp | 6 +++- manifests/init.pp | 3 ++ spec/classes/foreman_config_apache_spec.rb | 38 ++++++++++++++++++++++ 4 files changed, 47 insertions(+), 1 deletion(-) diff --git a/manifests/config.pp b/manifests/config.pp index 01096128f..9d6805e2e 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -144,6 +144,7 @@ keycloak => $foreman::keycloak, keycloak_app_name => $foreman::keycloak_app_name, keycloak_realm => $foreman::keycloak_realm, + manage_selinux_booleans => $foreman::manage_selinux_booleans, } contain foreman::config::apache diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp index cbcc72933..a127961fd 100644 --- a/manifests/config/apache.pp +++ b/manifests/config/apache.pp @@ -98,6 +98,9 @@ # @param keycloak_realm # The realm as passed to keycloak-httpd-client-install # +# @param manage_selinux_booleans +# If true AND selinux is enabled on the node, set httpd_can_network_connect so apache works properly +# class foreman::config::apache( Stdlib::Absolutepath $app_root = '/usr/share/foreman', String $priority = '05', @@ -131,6 +134,7 @@ Boolean $keycloak = false, String[1] $keycloak_app_name = 'foreman-openidc', String[1] $keycloak_realm = 'ssl-realm', + Boolean $manage_selinux_booleans = true, ) { $docroot = "${app_root}/public" @@ -232,7 +236,7 @@ ], } - if $facts['os']['selinux']['enabled'] { + if $facts['os']['selinux']['enabled'] and $manage_selinux_booleans { selboolean { 'httpd_can_network_connect': persistent => true, value => 'on', diff --git a/manifests/init.pp b/manifests/init.pp index 9732a7119..e08e75edf 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -199,6 +199,8 @@ # # $rails_cache_store:: Set rails cache store # +# $manage_selinux_booleans:: If true AND selinux is enabled on the node, set httpd_can_network_connect so apache works properly +# # === Keycloak parameters: # # $keycloak:: Enable Keycloak support. Note this is limited @@ -308,6 +310,7 @@ Boolean $keycloak = $foreman::params::keycloak, String[1] $keycloak_app_name = $foreman::params::keycloak_app_name, String[1] $keycloak_realm = $foreman::params::keycloak_realm, + Boolean $manage_selinux_booleans = true, ) inherits foreman::params { if $db_sslmode == 'UNSET' and $db_root_cert { $db_sslmode_real = 'verify-full' diff --git a/spec/classes/foreman_config_apache_spec.rb b/spec/classes/foreman_config_apache_spec.rb index 4301e9280..3ad08502b 100644 --- a/spec/classes/foreman_config_apache_spec.rb +++ b/spec/classes/foreman_config_apache_spec.rb @@ -15,6 +15,44 @@ end end + describe 'without manage_selinux_booleans', if: facts[:os]['family'] == 'RedHat' do + let :facts do + override_facts(super(), os: {'selinux' => {'enabled' => true}}) + end + + it 'should contain the selinux resource' do + should contain_selboolean('httpd_can_network_connect') + end + end + + describe 'with manage_selinux_booleans to true', if: facts[:os]['family'] == 'RedHat' do + let :params do + super().merge( + manage_selinux_booleans: true + ) + end + + let :facts do + override_facts(super(), os: {'selinux' => {'enabled' => true}}) + end + + it 'should contain the selinux resource' do + should contain_selboolean('httpd_can_network_connect') + end + end + + describe 'with manage_selinux_booleans to false', if: facts[:os]['family'] == 'RedHat' do + let :params do + super().merge( + manage_selinux_booleans: false + ) + end + + it 'should not contain the selinux resource' do + should_not contain_selboolean('httpd_can_network_connect') + end + end + describe 'with passenger' do let(:params) do super().merge(