diff --git a/ansible/seed-hypervisor-host-configure.yml b/ansible/seed-hypervisor-host-configure.yml index 86c70623b..dbec1a8b5 100644 --- a/ansible/seed-hypervisor-host-configure.yml +++ b/ansible/seed-hypervisor-host-configure.yml @@ -9,6 +9,7 @@ - import_playbook: "wipe-disks.yml" - import_playbook: "users.yml" - import_playbook: "dev-tools.yml" +- import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" - import_playbook: "tuned.yml" diff --git a/ansible/selinux.yml b/ansible/selinux.yml index 730da7a5c..a03e67a27 100644 --- a/ansible/selinux.yml +++ b/ansible/selinux.yml @@ -1,6 +1,6 @@ --- - name: Configure SELinux state and reboot if required - hosts: seed:overcloud:infra-vms + hosts: seed:seed-hypervisor:overcloud:infra-vms tags: - selinux roles: diff --git a/playbooks/kayobe-infra-vm-base/pre.yml b/playbooks/kayobe-infra-vm-base/pre.yml index 38c9a6e2a..e4aa6454d 100644 --- a/playbooks/kayobe-infra-vm-base/pre.yml +++ b/playbooks/kayobe-infra-vm-base/pre.yml @@ -32,12 +32,6 @@ value: 1 become: true - - name: Ensure SELinux is disabled - selinux: - state: disabled - become: True - when: ansible_os_family in ['RedHat', 'Rocky'] - # NOTE(mgoddard): Use the name zz-overrides.yml to ensure this takes # precedence over the standard config files. - name: Ensure kayobe-config override config file exists diff --git a/playbooks/kayobe-seed-vm-base/pre.yml b/playbooks/kayobe-seed-vm-base/pre.yml index 0e82db294..566365f12 100644 --- a/playbooks/kayobe-seed-vm-base/pre.yml +++ b/playbooks/kayobe-seed-vm-base/pre.yml @@ -32,12 +32,6 @@ value: 1 become: true - - name: Ensure SELinux is disabled - selinux: - state: disabled - become: True - when: ansible_os_family in ['RedHat', 'Rocky'] - # NOTE(mgoddard): Use the name zz-overrides.yml to ensure this takes # precedence over the standard config files. - name: Ensure kayobe-config override config file exists diff --git a/releasenotes/notes/selinux-seed-hypervisor-40c74b625ea93a7e.yaml b/releasenotes/notes/selinux-seed-hypervisor-40c74b625ea93a7e.yaml new file mode 100644 index 000000000..18390b85b --- /dev/null +++ b/releasenotes/notes/selinux-seed-hypervisor-40c74b625ea93a7e.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Kayobe now configures SELinux on the seed hypervisor. The default is to set + SELinux to ``permissive``. +fixes: + - | + Configures SELinux to ``permissive`` on the seed hypervisor, which fixes + permission issues when provisioning seed or infra VMs.