SIMP should use reboot notify for SELinux reboot requirements

Description

When SELinux is disabled, and a user requests that it be set to either permissive or enforcing, a resulting Puppet error occurs because it attempts to run 'setenforce'.

Instead, this should check to see the state of SELinux on the system itself, and if a reboot is required to properly use the setenforce command, the reboot_notify type should be used instead of allowing a failed resource to execute.

Acceptance Criteria

None

Activity

Show:
Nicholas Markowski
April 7, 2017, 4:04 PM

This is especially important now that svckill warns by default. If you toggle enforcing -> permissive/disabled, named-chroot kicks off, but svckill won't kill the original named process. Having two nameservers that dish out potentially different information to the same clients is bad. By rebooting and running puppet, you ensure that these unintended consequences are avoided.

Done

Labels

None

Epic Link

None

Story Points

None

Components

Assignee

Nicholas Markowski

Sprint

None

Affects versions

Priority

Medium