diff --git a/ansible/disable-selinux.yml b/ansible/disable-selinux.yml
deleted file mode 100644
index 3ce1706c638e839ae2010e2f1d92b0652465c5ec..0000000000000000000000000000000000000000
--- a/ansible/disable-selinux.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: Disable SELinux and reboot if required
- hosts: seed:overcloud:infra-vms
- tags:
- - disable-selinux
- roles:
- - role: disable-selinux
- disable_selinux_reboot_timeout: "{{ 600 if ansible_facts.virtualization_role == 'host' else 300 }}"
- when: ansible_facts.os_family == 'RedHat'
diff --git a/ansible/infra-vm-host-configure.yml b/ansible/infra-vm-host-configure.yml
index ce7b25c8e8c9d96acec7c98943cd97f32ca1a9b3..e175757e51061a967bc8d00320d6cf85ec8bc8f8 100644
--- a/ansible/infra-vm-host-configure.yml
+++ b/ansible/infra-vm-host-configure.yml
@@ -9,7 +9,7 @@
- import_playbook: "wipe-disks.yml"
- import_playbook: "users.yml"
- import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
- import_playbook: "network.yml"
- import_playbook: "firewall.yml"
- import_playbook: "tuned.yml"
diff --git a/ansible/overcloud-host-configure.yml b/ansible/overcloud-host-configure.yml
index 31587891b421d9cda694cafb794225825f3a4f75..d43c711e9c32016c0b7211da09eb3d750238ca02 100644
--- a/ansible/overcloud-host-configure.yml
+++ b/ansible/overcloud-host-configure.yml
@@ -9,7 +9,7 @@
- import_playbook: "wipe-disks.yml"
- import_playbook: "users.yml"
- import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
- import_playbook: "network.yml"
- import_playbook: "firewall.yml"
- import_playbook: "tuned.yml"
diff --git a/ansible/roles/disable-selinux/tasks/main.yml b/ansible/roles/disable-selinux/tasks/main.yml
deleted file mode 100644
index 5b777452b2d0aa6bfc896508626fdbd2393f5baa..0000000000000000000000000000000000000000
--- a/ansible/roles/disable-selinux/tasks/main.yml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-- name: Ensure required packages are installed
- package:
- name: python3-libselinux
- state: present
- cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
- update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
- become: True
-
-- name: Check if SELinux configuration file exists
- stat:
- path: /etc/selinux/config
- register: stat_result
-
-- name: Ensure SELinux is disabled
- selinux:
- state: disabled
- register: selinux_result
- become: True
- when: stat_result.stat.exists
-
-- block:
- - name: Set a fact to determine whether we are running locally
- set_fact:
- is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}"
-
- - name: Reboot the system to apply SELinux changes (local)
- command: shutdown -r now "Applying SELinux changes"
- become: True
- when: is_local | bool
-
- - name: Reboot the machine to apply SELinux
- reboot:
- reboot_timeout: "{{ disable_selinux_reboot_timeout }}"
- msg: Applying SELinux changes
- become: true
- when: not is_local | bool
- when:
- - disable_selinux_do_reboot | bool
- - selinux_result is changed
diff --git a/ansible/roles/disable-selinux/defaults/main.yml b/ansible/roles/selinux/defaults/main.yml
similarity index 50%
rename from ansible/roles/disable-selinux/defaults/main.yml
rename to ansible/roles/selinux/defaults/main.yml
index 23fd5cd33826d8e26a2c9395777f2f88d9c44740..80481b39ff4859abbba4df5343f57d46ca07b113 100644
--- a/ansible/roles/disable-selinux/defaults/main.yml
+++ b/ansible/roles/selinux/defaults/main.yml
@@ -1,7 +1,13 @@
---
+# Target SELinux policy
+selinux_policy: targeted
+
+# Target SELinux state
+selinux_state: permissive
+
# Whether to reboot to apply SELinux config changes.
-disable_selinux_do_reboot: true
+selinux_do_reboot: false
# Number of seconds to wait for hosts to become accessible via SSH after being
# rebooted.
-disable_selinux_reboot_timeout:
+selinux_reboot_timeout:
diff --git a/ansible/roles/selinux/tasks/main.yml b/ansible/roles/selinux/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..54f699303259c1afdce22d7d1db85e2e96ad595e
--- /dev/null
+++ b/ansible/roles/selinux/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Ensure required packages are installed
+ package:
+ name: python3-libselinux
+ state: present
+ cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
+ update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
+ become: True
+
+- name: Check if SELinux configuration file exists
+ stat:
+ path: /etc/selinux/config
+ register: stat_result
+
+- name: Ensure desired SELinux state
+ selinux:
+ policy: "{{ selinux_policy }}"
+ state: "{{ selinux_state }}"
+ register: selinux_result
+ become: True
+ when: stat_result.stat.exists
+
+- block:
+ - name: Abort SELinux configuration because reboot is disabled
+ fail:
+ msg: >
+ SELinux state change requires a reboot, but selinux_do_reboot is
+ false. Please run again with selinux_do_reboot set to true to reboot.
+ when:
+ - not selinux_do_reboot | bool
+
+ - block:
+ - name: Set a fact to determine whether we are running locally
+ set_fact:
+ is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}"
+
+ - name: Reboot the system to apply SELinux changes (local)
+ command: shutdown -r now "Applying SELinux changes"
+ become: True
+ when:
+ - is_local | bool
+
+ - name: Reboot the machine to apply SELinux
+ reboot:
+ reboot_timeout: "{{ selinux_reboot_timeout }}"
+ msg: Applying SELinux changes
+ become: true
+ when:
+ - not is_local | bool
+ when:
+ - selinux_do_reboot | bool
+ when:
+ - stat_result.stat.exists
+ - selinux_result.reboot_required
diff --git a/ansible/seed-host-configure.yml b/ansible/seed-host-configure.yml
index 4a89f4f09e212b6b97ce147cf4608ccd02422ff0..b41344eae9a4f6638dbaaac6e02d360697704303 100644
--- a/ansible/seed-host-configure.yml
+++ b/ansible/seed-host-configure.yml
@@ -9,7 +9,7 @@
- import_playbook: "wipe-disks.yml"
- import_playbook: "users.yml"
- import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
- import_playbook: "network.yml"
- import_playbook: "firewall.yml"
- import_playbook: "tuned.yml"
diff --git a/ansible/selinux.yml b/ansible/selinux.yml
new file mode 100644
index 0000000000000000000000000000000000000000..730da7a5ce11e5814c2dc23706772b3062a17139
--- /dev/null
+++ b/ansible/selinux.yml
@@ -0,0 +1,9 @@
+---
+- name: Configure SELinux state and reboot if required
+ hosts: seed:overcloud:infra-vms
+ tags:
+ - selinux
+ roles:
+ - role: selinux
+ selinux_reboot_timeout: "{{ 600 if ansible_facts.virtualization_role == 'host' else 300 }}"
+ when: ansible_facts.os_family == 'RedHat'
diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst
index 0451a38381d3481db74c1a70b8814ad714e009a3..4cb6e57a0ae91a171980f85630f21210690ae372 100644
--- a/doc/source/configuration/reference/hosts.rst
+++ b/doc/source/configuration/reference/hosts.rst
@@ -445,15 +445,16 @@ that is signed by the key.
SELinux
=======
*tags:*
- | ``disable-selinux``
+ | ``selinux``
.. note:: SELinux applies to CentOS and Rocky systems only.
-SELinux is not supported by Kolla Ansible currently, so it is disabled by
-Kayobe. If necessary, Kayobe will reboot systems in order to apply a change to
+SELinux is not supported by Kolla Ansible currently, so it is set to permissive
+by Kayobe. If necessary, it can be configured to disabled by setting
+``selinux_state`` to ``disabled``. Kayobe will reboot systems when required for
the SELinux configuration. The timeout for waiting for systems to reboot is
-``disable_selinux_reboot_timeout``. Alternatively, the reboot may be avoided by
-setting ``disable_selinux_do_reboot`` to ``false``.
+``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting
+``selinux_do_reboot`` to ``false``.
Network Configuration
=====================
diff --git a/doc/source/configuration/scenarios/all-in-one/overcloud.rst b/doc/source/configuration/scenarios/all-in-one/overcloud.rst
index 5e3b68ecaa45b81cf199dd7482b522bf05564b79..2992877ab49a08151744e7261137dc6e7dd6935c 100644
--- a/doc/source/configuration/scenarios/all-in-one/overcloud.rst
+++ b/doc/source/configuration/scenarios/all-in-one/overcloud.rst
@@ -230,16 +230,16 @@ seen in MAAS):
controller_bootstrap_user: "cloud-user"
-By default, on systems with SELinux enabled, Kayobe will disable SELinux and
-reboot the system to apply the change. In a test or development environment
-this can be a bit disruptive, particularly when using ephemeral network
-configuration. To avoid rebooting the system after disabling SELinux, set
-``disable_selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``.
+By default, on systems with SELinux disabled, Kayobe will put SELinux in
+permissive mode and reboot the system to apply the change. In a test or
+development environment this can be a bit disruptive, particularly when using
+ephemeral network configuration. To avoid rebooting the system after enabling
+SELinux, set ``selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``.
.. code-block:: yaml
:caption: ``etc/kayobe/globals.yml``
- disable_selinux_do_reboot: false
+ selinux_do_reboot: false
In a development environment, we may wish to tune some Kolla Ansible variables.
Using QEMU as the virtualisation type will be necessary if KVM is not
diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py
index 325a67aeaae3b24470519396507e898be0acf74c..9d5c8ab2df0fea37b737445cee187d6b0f006842 100644
--- a/kayobe/cli/commands.py
+++ b/kayobe/cli/commands.py
@@ -561,7 +561,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
* Optionally, create a virtualenv for remote target hosts.
* Optionally, wipe unmounted disk partitions (--wipe-disks).
* Configure user accounts, group associations, and authorised SSH keys.
- * Disable SELinux.
+ * Configure SELinux.
* Configure the host's network interfaces.
* Configure a firewall.
* Configure tuned profile.
@@ -866,7 +866,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin,
* Optionally, create a virtualenv for remote target hosts.
* Optionally, wipe unmounted disk partitions (--wipe-disks).
* Configure user accounts, group associations, and authorised SSH keys.
- * Disable SELinux.
+ * Configure SELinux.
* Configure the host's network interfaces.
* Configure a firewall.
* Configure tuned profile.
@@ -1112,7 +1112,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
* Optionally, create a virtualenv for remote target hosts.
* Optionally, wipe unmounted disk partitions (--wipe-disks).
* Configure user accounts, group associations, and authorised SSH keys.
- * Disable SELinux.
+ * Configure SELinux.
* Configure the host's network interfaces.
* Configure a firewall.
* Configure tuned profile.
diff --git a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 b/playbooks/kayobe-infra-vm-base/overrides.yml.j2
index 1a72eb8f6fe7a38f21fd9aa4d1966ed54b2610b3..061d7589ce517bb2d9ffdee6a45598982348889c 100644
--- a/playbooks/kayobe-infra-vm-base/overrides.yml.j2
+++ b/playbooks/kayobe-infra-vm-base/overrides.yml.j2
@@ -1,8 +1,4 @@
---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
# Use the OpenStack infra's Dockerhub mirror.
docker_registry_mirrors:
- "http://{{ zuul_site_mirror_fqdn }}:8082/"
diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2
index 0c674193c8383b5064fed7a08f7dca71534f49d6..2f488c04e4f10dac0ad2a76b1013aba36afc181e 100644
--- a/playbooks/kayobe-overcloud-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -1,8 +1,4 @@
---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
# Use the OpenStack infra's Dockerhub mirror.
docker_registry_mirrors:
- "http://{{ zuul_site_mirror_fqdn }}:8082/"
diff --git a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2
index 5972bdfd613f8373d25c388cedc0910be513d7ee..a4dd3a8922ae2fed673847381efc7b68826fb76b 100644
--- a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2
@@ -1,6 +1,8 @@
---
# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
# Ansible is run directly on the controller.
+# TODO(priteau): This is needed for the deployment of the previous release.
+# Remove when previous_release is zed.
disable_selinux_do_reboot: false
# Use the OpenStack infra's Dockerhub mirror.
diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2
index b2a09402060fe8edd46d693179311a396da3f5d7..dc1e54e5ef52244723071701595b0637eb28d81a 100644
--- a/playbooks/kayobe-seed-base/overrides.yml.j2
+++ b/playbooks/kayobe-seed-base/overrides.yml.j2
@@ -1,8 +1,4 @@
---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
# Use the OpenStack infra's Dockerhub mirror.
docker_registry_mirrors:
- "http://{{ zuul_site_mirror_fqdn }}:8082/"
diff --git a/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2
index 5b13be360b9a34e1641447a725358448685c2a9b..93d6c424523bb5e267205542ab55940bcaddc261 100644
--- a/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2
+++ b/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2
@@ -1,6 +1,8 @@
---
# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
# Ansible is run directly on the controller.
+# TODO(priteau): This is needed for the deployment of the previous release.
+# Remove when previous_release is zed.
disable_selinux_do_reboot: false
# Use the OpenStack infra's Dockerhub mirror.
diff --git a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 b/playbooks/kayobe-seed-vm-base/overrides.yml.j2
index 9c5462c73630fc7d5e6ac3cb037a0c149ce53820..108efb74f761e5f83028df96ee57f5f5603db665 100644
--- a/playbooks/kayobe-seed-vm-base/overrides.yml.j2
+++ b/playbooks/kayobe-seed-vm-base/overrides.yml.j2
@@ -1,8 +1,4 @@
---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
# Use the OpenStack infra's Dockerhub mirror.
docker_registry_mirrors:
- "http://{{ zuul_site_mirror_fqdn }}:8082/"
diff --git a/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml b/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f0be18ea79f1cc57657db688802325611c4d7f51
--- /dev/null
+++ b/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml
@@ -0,0 +1,18 @@
+---
+features:
+ - |
+ Adds functionality to configure desired SELinux state (in addition to
+ disabling SELinux previously).
+upgrade:
+ - |
+ The ``disable-selinux`` role has been renamed to ``selinux`` and so have
+ been the related variables. If you set one of them, adapt your
+ configuration:
+
+ * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot``
+ * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``
+ - |
+ Kayobe now sets SELinux to ``permissive`` by default (compared to
+ ``disabled`` previously). This may require a reboot, which will only be
+ triggered if ``selinux_do_reboot`` is set to ``true``. If you want to
+ retain previous behaviour, set ``selinux_state`` to ``disabled``.