From 836f394a6dc8a20197e13d9efce212d1efa93039 Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Tue, 4 Jan 2022 17:46:49 +0000
Subject: [PATCH] Run selinux playbook on seed hypervisor

Change-Id: Iec0b9cd24eda4fc0fc38003dea66c50ece7425b6
---
 ansible/seed-hypervisor-host-configure.yml               | 1 +
 ansible/selinux.yml                                      | 2 +-
 playbooks/kayobe-infra-vm-base/pre.yml                   | 6 ------
 playbooks/kayobe-seed-vm-base/pre.yml                    | 6 ------
 .../notes/selinux-seed-hypervisor-40c74b625ea93a7e.yaml  | 9 +++++++++
 5 files changed, 11 insertions(+), 13 deletions(-)
 create mode 100644 releasenotes/notes/selinux-seed-hypervisor-40c74b625ea93a7e.yaml

diff --git a/ansible/seed-hypervisor-host-configure.yml b/ansible/seed-hypervisor-host-configure.yml
index 86c70623..dbec1a8b 100644
--- a/ansible/seed-hypervisor-host-configure.yml
+++ b/ansible/seed-hypervisor-host-configure.yml
@@ -9,6 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"
diff --git a/ansible/selinux.yml b/ansible/selinux.yml
index 730da7a5..a03e67a2 100644
--- a/ansible/selinux.yml
+++ b/ansible/selinux.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure SELinux state and reboot if required
-  hosts: seed:overcloud:infra-vms
+  hosts: seed:seed-hypervisor:overcloud:infra-vms
   tags:
     - selinux
   roles:
diff --git a/playbooks/kayobe-infra-vm-base/pre.yml b/playbooks/kayobe-infra-vm-base/pre.yml
index 38c9a6e2..e4aa6454 100644
--- a/playbooks/kayobe-infra-vm-base/pre.yml
+++ b/playbooks/kayobe-infra-vm-base/pre.yml
@@ -32,12 +32,6 @@
         value: 1
       become: true
 
-    - name: Ensure SELinux is disabled
-      selinux:
-        state: disabled
-      become: True
-      when: ansible_os_family in ['RedHat', 'Rocky']
-
     # NOTE(mgoddard): Use the name zz-overrides.yml to ensure this takes
     # precedence over the standard config files.
     - name: Ensure kayobe-config override config file exists
diff --git a/playbooks/kayobe-seed-vm-base/pre.yml b/playbooks/kayobe-seed-vm-base/pre.yml
index 0e82db29..566365f1 100644
--- a/playbooks/kayobe-seed-vm-base/pre.yml
+++ b/playbooks/kayobe-seed-vm-base/pre.yml
@@ -32,12 +32,6 @@
         value: 1
       become: true
 
-    - name: Ensure SELinux is disabled
-      selinux:
-        state: disabled
-      become: True
-      when: ansible_os_family in ['RedHat', 'Rocky']
-
     # NOTE(mgoddard): Use the name zz-overrides.yml to ensure this takes
     # precedence over the standard config files.
     - name: Ensure kayobe-config override config file exists
diff --git a/releasenotes/notes/selinux-seed-hypervisor-40c74b625ea93a7e.yaml b/releasenotes/notes/selinux-seed-hypervisor-40c74b625ea93a7e.yaml
new file mode 100644
index 00000000..18390b85
--- /dev/null
+++ b/releasenotes/notes/selinux-seed-hypervisor-40c74b625ea93a7e.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Kayobe now configures SELinux on the seed hypervisor. The default is to set
+    SELinux to ``permissive``.
+fixes:
+  - |
+    Configures SELinux to ``permissive`` on the seed hypervisor, which fixes
+    permission issues when provisioning seed or infra VMs.
-- 
GitLab