Updated openstack/openstack
Project: openstack-infra/puppet-cgit 0c3f449706f9721a69b83e2b46c7d7a3bd90781a Fix logic in selinux execs Without this patch, the logic for managing selinux rules faces two problems: 1. The use of the refreshonly is problematic. If for whatever reason the semanage command fails or is not executed in the course of a puppet run, a second puppet run can only fix the selinux problem if it is also changing the state of the file resource to which the exec is subscribed. If there is no change made to that file, puppet will not attempt to re-execute the semanage command and the rule will remain broken but unreported. 2. Using a system-modifying command as a value to the onlyif or unless parameters is bad practice. If the command in the onlyif fails (or if the command in the unless succeeds), the command in the command parameter will not be executed so puppet will report no changes, even though a change has occurred. The onlyif or unless parameters are intended to examine the state of the system to determine whether an action is needed, never to modify the system. This patch removes the refreshonly parameters from the execs in cgit::selinux in order to fix problem 1. This alone exacerbates problem 2 because when the exec is not tied to a file resource it always fails to add the port after the first time, and so reports modifying the port on every run. To fix this, this patch changes the onlyif to an unless that examines whether the desired rule exists, and if not first tries to add the port and then to modify the port if the port was already added. Change-Id: I98fa561b5367cd5fe11ff61479aa8b899db07a5a Depends-On: I9d359b3fc71c7a83b6094f7ee535ab8418f20468 Depends-On: Iaa9c8cda7a2eae904eb8f25cfa33be249b2b4cab
This commit is contained in:
parent
dc9e6248e0
commit
012cab3fc8
|
@ -1 +1 @@
|
|||
Subproject commit 76fc19c54507dc8e91871db7b0a27a8673fa81fd
|
||||
Subproject commit 0c3f449706f9721a69b83e2b46c7d7a3bd90781a
|
Loading…
Reference in New Issue