Skip to content

Make Ansible in SELinux rules idempotent #13963

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Make Ansible in SELinux rules idempotent #13963

wants to merge 1 commit into from

Conversation

jan-cerny
Copy link
Collaborator

There were 2 problems:

  1. the .autorelabel file was created even if SELinux state was correct
  2. the .autorelabel file was changed even if it existed because the task uses "touch" which always modified the file modification time

Resolves: https://issues.redhat.com/browse/OPENSCAP-6255

Review Hints:

  • ./build_product --playbook-per-rule rhel9
  • manually replace hosts by hosts: all in build/rhel9/playbooks/stig/selinux_state.yml and build/rhel9/playbooks/all/selinux_not_disabled.yml
  • run ansible-playbook -u root -i YOUR_IP, build/rhel9/playbooks/stig/selinux_state.yml at least twice and compare the output of the first run with the second run and so on, verify that the second and next runs don't change anything and that the output contains only "ok" or "skipping"
  • dtto for the build/rhel9/playbooks/all/selinux_not_disabled.yml
  • apart from that, run automatus Tss with --remediate-using ansible

@jan-cerny
Make Ansible in SELinux rules idempotent
85d12c9 
There were 2 problems:
1. the .autorelabel file was created even if SELinux state was correct
2. the .autorelabel file was changed even if it existed because the
   task uses "touch" which always modified the file modification time

Resolves: https://issues.redhat.com/browse/OPENSCAP-6255
@jan-cerny jan-cerny added this to the 0.1.79 milestone Oct 1, 2025
@jan-cerny jan-cerny added the Ansible Ansible remediation update. label Oct 1, 2025
@vojtapolasek vojtapolasek self-assigned this Oct 2, 2025
@vojtapolasek
Copy link
Collaborator

/retest

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 2, 2025

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 85d12c9 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jan-cerny
Copy link
Collaborator Author

/packit build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@vojtapolasek vojtapolasek

Labels
Ansible Ansible remediation update.
Projects
None yet
Milestone
0.1.79
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @vojtapolasek