selinux: default to permissive

The disable-selinux role has been renamed to selinux and now supports
setting desired state.

Previously Kayobe was defaulting to disabling and rebooted the host - to
avoid audit logs filling up. This change allows operators to define
desired SELinux state and defaults to permissive - to adhere to those
site policies that require SELinux to be at least in permissive state.

Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1

ansible/disable-selinux.yml

@@ -1,9 +0,0 @@
----
-- name: Disable SELinux and reboot if required
-  hosts: seed:overcloud:infra-vms
-  tags:
-    - disable-selinux
-  roles:
-    - role: disable-selinux
-      disable_selinux_reboot_timeout: "{{ 600 if ansible_facts.virtualization_role == 'host' else 300 }}"
-      when: ansible_facts.os_family == 'RedHat'

ansible/infra-vm-host-configure.yml

@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

ansible/overcloud-host-configure.yml

@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

ansible/roles/disable-selinux/tasks/main.yml

@@ -1,40 +0,0 @@
----
-- name: Ensure required packages are installed
-  package:
-    name: python3-libselinux
-    state: present
-    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
-    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
-  become: True
-
-- name: Check if SELinux configuration file exists
-  stat:
-    path: /etc/selinux/config
-  register: stat_result
-
-- name: Ensure SELinux is disabled
-  selinux:
-    state: disabled
-  register: selinux_result
-  become: True
-  when: stat_result.stat.exists
-
-- block:
-    - name: Set a fact to determine whether we are running locally
-      set_fact:
-        is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}"
-
-    - name: Reboot the system to apply SELinux changes (local)
-      command: shutdown -r now "Applying SELinux changes"
-      become: True
-      when: is_local | bool
-
-    - name: Reboot the machine to apply SELinux
-      reboot:
-        reboot_timeout: "{{ disable_selinux_reboot_timeout }}"
-        msg: Applying SELinux changes
-      become: true
-      when: not is_local | bool
-  when:
-    - disable_selinux_do_reboot | bool
-    - selinux_result is changed

ansible/roles/selinux/defaults/main.yml

@@ -1,7 +1,13 @@
 ---
+# Target SELinux policy
+selinux_policy: targeted
+
+# Target SELinux state
+selinux_state: permissive
+
 # Whether to reboot to apply SELinux config changes.
-disable_selinux_do_reboot: true
+selinux_do_reboot: false
 
 # Number of seconds to wait for hosts to become accessible via SSH after being
 # rebooted.
-disable_selinux_reboot_timeout:
+selinux_reboot_timeout:

ansible/roles/selinux/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Ensure required packages are installed
+  package:
+    name: python3-libselinux
+    state: present
+    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
+    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
+  become: True
+
+- name: Check if SELinux configuration file exists
+  stat:
+    path: /etc/selinux/config
+  register: stat_result
+
+- name: Ensure desired SELinux state
+  selinux:
+    policy: "{{ selinux_policy }}"
+    state: "{{ selinux_state }}"
+  register: selinux_result
+  become: True
+  when: stat_result.stat.exists
+
+- block:
+    - name: Abort SELinux configuration because reboot is disabled
+      fail:
+        msg: >
+          SELinux state change requires a reboot, but selinux_do_reboot is
+          false. Please run again with selinux_do_reboot set to true to reboot.
+      when:
+        - not selinux_do_reboot | bool
+
+    - block:
+        - name: Set a fact to determine whether we are running locally
+          set_fact:
+            is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}"
+
+        - name: Reboot the system to apply SELinux changes (local)
+          command: shutdown -r now "Applying SELinux changes"
+          become: True
+          when:
+            - is_local | bool
+
+        - name: Reboot the machine to apply SELinux
+          reboot:
+            reboot_timeout: "{{ selinux_reboot_timeout }}"
+            msg: Applying SELinux changes
+          become: true
+          when:
+            - not is_local | bool
+      when:
+        - selinux_do_reboot | bool
+  when:
+    - stat_result.stat.exists
+    - selinux_result.reboot_required

ansible/seed-host-configure.yml

@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

ansible/selinux.yml

@@ -0,0 +1,9 @@
+---
+- name: Configure SELinux state and reboot if required
+  hosts: seed:overcloud:infra-vms
+  tags:
+    - selinux
+  roles:
+    - role: selinux
+      selinux_reboot_timeout: "{{ 600 if ansible_facts.virtualization_role == 'host' else 300 }}"
+      when: ansible_facts.os_family == 'RedHat'

doc/source/configuration/reference/hosts.rst

@@ -445,15 +445,16 @@ that is signed by the key.
 SELinux
 =======
 *tags:*
-  | ``disable-selinux``
+  | ``selinux``
 
 .. note:: SELinux applies to CentOS and Rocky systems only.
 
-SELinux is not supported by Kolla Ansible currently, so it is disabled by
+SELinux is not supported by Kolla Ansible currently, so it is set to permissive
-Kayobe. If necessary, Kayobe will reboot systems in order to apply a change to
+by Kayobe. If necessary, it can be configured to disabled by setting
+``selinux_state`` to ``disabled``. Kayobe will reboot systems when required for
 the SELinux configuration. The timeout for waiting for systems to reboot is
-``disable_selinux_reboot_timeout``. Alternatively, the reboot may be avoided by
+``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting
-setting ``disable_selinux_do_reboot`` to ``false``.
+``selinux_do_reboot`` to ``false``.
 
 Network Configuration
 =====================

doc/source/configuration/scenarios/all-in-one/overcloud.rst

@@ -230,16 +230,16 @@ seen in MAAS):
 
    controller_bootstrap_user: "cloud-user"
 
-By default, on systems with SELinux enabled, Kayobe will disable SELinux and
+By default, on systems with SELinux disabled, Kayobe will put SELinux in
-reboot the system to apply the change. In a test or development environment
+permissive mode and reboot the system to apply the change. In a test or
-this can be a bit disruptive, particularly when using ephemeral network
+development environment this can be a bit disruptive, particularly when using
-configuration.  To avoid rebooting the system after disabling SELinux, set
+ephemeral network configuration.  To avoid rebooting the system after enabling
-``disable_selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``.
+SELinux, set ``selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``.
 
 .. code-block:: yaml
    :caption: ``etc/kayobe/globals.yml``
 
-   disable_selinux_do_reboot: false
+   selinux_do_reboot: false
 
 In a development environment, we may wish to tune some Kolla Ansible variables.
 Using QEMU as the virtualisation type will be necessary if KVM is not

kayobe/cli/commands.py

@@ -561,7 +561,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.
@@ -866,7 +866,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.
@@ -1112,7 +1112,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.

playbooks/kayobe-infra-vm-base/overrides.yml.j2

@@ -1,8 +1,4 @@
 ---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

playbooks/kayobe-overcloud-base/overrides.yml.j2

@@ -1,8 +1,4 @@
 ---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2

@@ -1,6 +1,8 @@
 ---
 # NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
 # Ansible is run directly on the controller.
+# TODO(priteau): This is needed for the deployment of the previous release.
+# Remove when previous_release is zed.
 disable_selinux_do_reboot: false
 
 # Use the OpenStack infra's Dockerhub mirror.

playbooks/kayobe-seed-base/overrides.yml.j2

@@ -1,8 +1,4 @@
 ---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

playbooks/kayobe-seed-upgrade-base/overrides.yml.j2

@@ -1,6 +1,8 @@
 ---
 # NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
 # Ansible is run directly on the controller.
+# TODO(priteau): This is needed for the deployment of the previous release.
+# Remove when previous_release is zed.
 disable_selinux_do_reboot: false
 
 # Use the OpenStack infra's Dockerhub mirror.

playbooks/kayobe-seed-vm-base/overrides.yml.j2

@@ -1,8 +1,4 @@
 ---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml

@@ -0,0 +1,18 @@
+---
+features:
+  - |
+    Adds functionality to configure desired SELinux state (in addition to
+    disabling SELinux previously).
+upgrade:
+  - |
+    The ``disable-selinux`` role has been renamed to ``selinux`` and so have
+    been the related variables. If you set one of them, adapt your
+    configuration:
+
+    * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot``
+    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``
+  - |
+    Kayobe now sets SELinux to ``permissive`` by default (compared to
+    ``disabled`` previously). This may require a reboot, which will only be
+    triggered if ``selinux_do_reboot`` is set to ``true``. If you want to
+    retain previous behaviour, set ``selinux_state`` to ``disabled``.