Bug 1757869

Summary: rhel-system-roles should not reload the SELinux policy if its not changed
Product: Red Hat Enterprise Linux 8 Reporter: Pavel Cahyna <pcahyna>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: David Jež <djez>
Severity: unspecified Docs Contact: Eliane Ramos Pereira <elpereir>
Priority: unspecified    
Version: 8.1CC: djez, elpereir, lbac, lvrabec, qe-baseos-apps, rmeggins, rvdwees, vcrhonek
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:selinux
Fixed In Version: rhel-system-roles-1.1.0-1.el8 Doc Type: Bug Fix
Doc Text:
.`SElinux` role no longer perform unnecessary reloads Previously, the `SElinux` role would not check if changes were actually applied before reloading the `SElinux` policy. As a consequence, the `SElinux` policy was being reloaded unnecessarily, which had an impact on the system resources. With this fix, the `SElinux` role now uses ansible handlers and conditionals to ensure that the policy is only reloaded if there is a change. As a result, the `SElinux` role runs much faster.
 Story Points: ---
Clone Of: 1757857 Environment:
Last Closed: 2021-11-09 17:44:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1757857, 1937938    
Bug Blocks:    

Description Pavel Cahyna 2019-10-02 15:30:18 UTC 
+++ This bug was initially created as a clone of Bug #1757857 +++

Description of problem:
The rhel-system-roles.selinux has a task to always force a policy reload,
which seems as kind of a sledge hammer approach as a reload might not be
needed.
The task that handles the reload is always flagged as changed in the play
recap which makes it hard to determine if there was actual configuration drift
on the systems the role was applied on (it is non-idempotent).


How reproducible:
Always

Steps to Reproduce:
1. Use the selinux system-role that changes the policy
2. Re apply the role

Actual results:
After reapplying the role, nothing has changed but the playbook shows a
changed task
.
Expected results:
After an initial playbook run using the rhel-system-roles.selinux role
subsequent runs should not display any changed tasks.


Additional info:
From selinux/main.yml
~~~
- name: Reload SELinux policy
  command: semodule -R
  when: ansible_selinux.status != "disabled"
~~~

--- Additional comment from Ron van der Wees on 2019-10-02 15:07:28 UTC ---

This may also apply to RHEL8

--- Additional comment from Pavel Cahyna on 2019-10-02 15:25:44 UTC ---

Indeed, this is a problem, we fixed some of those issues in https://github.com/linux-system-roles/selinux/pull/38, but some remain. Concerning RHEL 8, I will create a clone.
Comment 5 Rich Megginson 2021-04-01 23:55:38 UTC 
This isn't covered by an explicit test - it is covered by regression testing
Comment 6 RHEL Program Management 2021-04-05 13:42:46 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 24 errata-xmlrpc 2021-11-09 17:44:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4159