Feature: Make selboolean management optional

manifests/config.pp

@@ -144,6 +144,7 @@
       keycloak                => $foreman::keycloak,
       keycloak_app_name       => $foreman::keycloak_app_name,
       keycloak_realm          => $foreman::keycloak_realm,
+      manage_selinux_booleans => $foreman::manage_selinux_booleans,
     }
 
     contain foreman::config::apache

manifests/config/apache.pp

@@ -98,6 +98,9 @@
 # @param keycloak_realm
 #   The realm as passed to keycloak-httpd-client-install
 #
+# @param manage_selinux_booleans
+#   If true AND selinux is enabled on the node, set httpd_can_network_connect so apache works properly
+#
 class foreman::config::apache(
   Stdlib::Absolutepath $app_root = '/usr/share/foreman',
   String $priority = '05',
@@ -131,6 +134,7 @@
   Boolean $keycloak = false,
   String[1] $keycloak_app_name = 'foreman-openidc',
   String[1] $keycloak_realm = 'ssl-realm',
+  Boolean $manage_selinux_booleans = true,
 ) {
   $docroot = "${app_root}/public"
 
@@ -232,7 +236,7 @@
       ],
     }
 
-    if $facts['os']['selinux']['enabled'] {
+    if $facts['os']['selinux']['enabled'] and $manage_selinux_booleans {
       selboolean { 'httpd_can_network_connect':
         persistent => true,
         value      => 'on',

manifests/init.pp

@@ -199,6 +199,8 @@
 #
 # $rails_cache_store::            Set rails cache store
 #
+# $manage_selinux_booleans::      If true AND selinux is enabled on the node, set httpd_can_network_connect so apache works properly
+#
 # === Keycloak parameters:
 #
 # $keycloak::                     Enable Keycloak support. Note this is limited
@@ -308,6 +310,7 @@
   Boolean $keycloak = $foreman::params::keycloak,
   String[1] $keycloak_app_name = $foreman::params::keycloak_app_name,
   String[1] $keycloak_realm = $foreman::params::keycloak_realm,
+  Boolean $manage_selinux_booleans = true,
 ) inherits foreman::params {
   if $db_sslmode == 'UNSET' and $db_root_cert {
     $db_sslmode_real = 'verify-full'

spec/classes/foreman_config_apache_spec.rb

@@ -15,6 +15,44 @@
         end
       end
 
+      describe 'without manage_selinux_booleans', if: facts[:os]['family'] == 'RedHat' do
+        let :facts do
+          override_facts(super(), os: {'selinux' => {'enabled' => true}})
+        end
+
+        it 'should contain the selinux resource' do
+          should contain_selboolean('httpd_can_network_connect')
+        end
+      end
+
+      describe 'with manage_selinux_booleans to true', if: facts[:os]['family'] == 'RedHat' do
+        let :params do
+          super().merge(
+            manage_selinux_booleans: true
+          )
+        end
+
+        let :facts do
+          override_facts(super(), os: {'selinux' => {'enabled' => true}})
+        end
+
+        it 'should contain the selinux resource' do
+          should contain_selboolean('httpd_can_network_connect')
+        end
+      end
+
+      describe 'with manage_selinux_booleans to false', if: facts[:os]['family'] == 'RedHat' do
+        let :params do
+          super().merge(
+            manage_selinux_booleans: false
+          )
+        end
+
+        it 'should not contain the selinux resource' do
+          should_not contain_selboolean('httpd_can_network_connect')
+        end
+      end
+
       describe 'with passenger' do
         let(:params) do
           super().merge(