Bug 1757857

Summary: rhel-system-roles should not reload the SELinux policy if its not changed
Product: Red Hat Enterprise Linux 7 Reporter: Ron van der Wees <rvdwees>
Component: rhel-system-rolesAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Jakub Haruda <jharuda>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: anrussel, b.prins, djez, jharuda, jreznik, lvrabec, nhosoi, rmeggins, vcrhonek
Target Milestone: rcKeywords: Extras, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:selinux
Fixed In Version: rhel-system-roles-1.7.3-2.el7_9 Doc Type: Bug Fix
Doc Text:
Cause: The selinux role was not checking to see if any changes were actually applied before reloading selinux policy. Consequence: The selinux policy was being reloaded unnecessarily. Policy reload is expensive. Fix: Use ansible handlers and conditionals so that the policy is only reloaded if it is changed. Result: selinux role runs much faster if no policy needs to be reloaded.
 Story Points: ---
Clone Of:
: 1757869 (view as bug list) Environment:
Last Closed: 2022-02-22 18:56:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1757869    

Description Ron van der Wees 2019-10-02 15:06:41 UTC 
Description of problem:
The rhel-system-roles.selinux has a task to always force a policy reload,
which seems as kind of a sledge hammer approach as a reload might not be
needed.
The task that handles the reload is always flagged as changed in the play
recap which makes it hard to determine if there was actual configuration drift
on the systems the role was applied on (it is non-idempotent).


How reproducible:
Always

Steps to Reproduce:
1. Use the selinux system-role that changes the policy
2. Re apply the role

Actual results:
After reapplying the role, nothing has changed but the playbook shows a
changed task
.
Expected results:
After an initial playbook run using the rhel-system-roles.selinux role
subsequent runs should not display any changed tasks.


Additional info:
From selinux/main.yml
~~~
- name: Reload SELinux policy
  command: semodule -R
  when: ansible_selinux.status != "disabled"
~~~
Comment 1 Ron van der Wees 2019-10-02 15:07:28 UTC 
This may also apply to RHEL8
Comment 2 Pavel Cahyna 2019-10-02 15:25:44 UTC 
Indeed, this is a problem, we fixed some of those issues in https://github.com/linux-system-roles/selinux/pull/38, but some remain. Concerning RHEL 8, I will create a clone.
Comment 7 Noriko Hosoi 2021-07-22 23:07:48 UTC 
Hi @djez, could you give your qa_ack+?
Comment 22 errata-xmlrpc 2022-02-22 18:56:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0644