Hosts having selinux disabled may break the required vm migrations during upgrade. And it's also not recommended to have mixed on/off hosts in the same cluster.
Would be nice to check it in the log collector analyzer script.
# select selinux_enforce_mode from vds;
I have sent a patch to gerrit that show the current configuration of selinux per host in the Hosts tab. Should be enough for your request?
When you say, mixing the configurations, is it about mixing disabled selinux hosts vs permissive/enforcing hosts or only disabled selinux hosts vs enforcing hosts?
If you are looking for a validation permissive/enforcing vs disabled, might be something like this:
WHERE vds_group_name IN (SELECT DISTINCT vds_group_name FROM vds WHERE selinux_enforce_mode=-1) AND selinux_enforce_mode IN (0,1);
Do you have a real scenario or sosreport to test the above query or showing the selinux status in the Host tab is enough?
Yes, that patch is enough (+1).(In reply to Douglas Schilling Landgraf from comment #1)
> When you say, mixing the configurations, is it about mixing disabled selinux
> hosts vs permissive/enforcing hosts or only disabled selinux hosts vs
> enforcing hosts?
It's disabled vs permissive/enforcing that causes problems. A VM will fail to migrate from a enforcing/permissive to a disabled host. This is a known problem and hit several times by our customers.
> Do you have a real scenario or sosreport to test the above query or showing
> the selinux status in the Host tab is enough?
Yes, I did 2 arch reviews recently, both had one host with selinux disabled.
Showing the SELinux status is already good enough to visualize the data. Having a check to ensure enforcing/permissive are not mixed with disabled in the same cluster would be a bonus if you have time.
Do you mind to give us a hand and test the following patch against good sosreports and the bad ones you mentioned?
inventory: Check for clusters with mixed selinux config
This will generate a warning in case we have cluster with mixed selinux config for hosts.
Done. See attached example of the problem explained on gerrit.
Compare the SELinux warning table to the hosts table.
I'll test again once you submit the next patch.
Thanks for working on this!
(In reply to Germano Veit Michel from comment #4)
> Hi Douglas,
> Done. See attached example of the problem explained on gerrit.
> Compare the SELinux warning table to the hosts table.
> I'll test again once you submit the next patch.
> Thanks for working on this!
Thanks Germano, I new patch is available for testing. Do you mind to give a new test and attach the sosreport you are using for test in this bugzilla report? I have local repo with several sosreports to test the scenarios we are adding.
Verified on version:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.