-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --equal equivalent to sefcontext #5189
Conversation
Add the ability to idempotently add and remove an fcontext equivalence, mirroring the 'semanage fcontext --equal' operations. This operation requires a bogus setype, or even a valid one for that matter, as the value is unused, and I did not want to make the conditional change to AnsibleModule(... setype=dict(type='str', required=True), ... New tests were added to tests/integration/targets/sefcontext/tasks/sefcontext.yml. During testing it was discovered that deletions using 'semanage fcontext' do not work for an individual equivalence deletion, only --deleteall, which blows out ALL local settings. This makes this module an improvement over the command line tools in this case. Signed-off-by: Doug Maxey <dithotxgh@github.com>
This comment was marked as outdated.
This comment was marked as outdated.
Docs Build 📝This PR is closed and any previously published docsite has been unpublished. |
TMI: missed that default is needed only for selections. Signed-off-by: Doug Maxey <dithotxgh@github.com>
Please hold off on moving this forward while I investigate an issue outside the testcase, Re-ran the testcases to see if I missed it there, but all still pass. Am getting a 'KeyError: equiv' traceback running this in production. Debugging it now. |
Aha. Due to pathing, was picking up an older modules version with the bug, fixed in the latest. So there is no error when using the correct current version. So the hold is not needed. |
FYI: Testing environment is current ansible 2.12.2 on rhel 8 and 9. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added some first comments, mostly on the documentation part.
@@ -22,6 +22,13 @@ | |||
type: str | |||
required: yes | |||
aliases: [ path ] | |||
equiv: | |||
description: | |||
- set target selinux equivalence to this path. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please put proper sentences in each paragraph.
- set target selinux equivalence to this path. | |
- Set target selinux equivalence to this path. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unresolving, as the issue remains.
equiv: | ||
description: | ||
- set target selinux equivalence to this path. | ||
- setype must be set, the bogus 'many_t' works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- setype must be set, the bogus 'many_t' works. | |
- I(setype) must be set, the bogus C(many_t) works. |
See https://docs.ansible.com/ansible/latest/dev_guide/developing_modules_documenting.html#linking-and-other-format-macros-within-module-documentation for how to format things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to make any doc changes you need.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dithotxgh please take a look at the conventions used in the code and documentation - the PR will not be merged otherwise.
- setype must be set, the bogus 'many_t' works. | ||
- when set, ftype, seuser, selevel are ignored. | ||
type: str | ||
required: no |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use true
/false
for YAML booleans. (Check out the current main
branch, it should do that for all options in this module.)
required: no | |
required: false |
- set target selinux equivalence to this path. | ||
- setype must be set, the bogus 'many_t' works. | ||
- when set, ftype, seuser, selevel are ignored. | ||
type: str |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The next minor release will be 5.6.0:
type: str | |
version_added: 5.6.0 | |
type: str |
equiv: '/var/lib/pgsql' | ||
path: '/tmp/foo' | ||
setype: 'many_t' # setype 'many_t' does not exist, but works with no conflicts. | ||
reload: no |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reload: no | |
reload: false |
Same below.
Other than the adjustments pointed by @felixfontein , it LGTM |
Please note this also requires a changelog fragment. Looks like I forgot to mention that in my first review :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dithotxgh Please see the comments and make the proper adjustments.
@@ -22,6 +22,13 @@ | |||
type: str | |||
required: yes | |||
aliases: [ path ] | |||
equiv: | |||
description: | |||
- set target selinux equivalence to this path. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unresolving, as the issue remains.
equiv: | ||
description: | ||
- set target selinux equivalence to this path. | ||
- setype must be set, the bogus 'many_t' works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dithotxgh please take a look at the conventions used in the code and documentation - the PR will not be merged otherwise.
try: | ||
# this is for the shipped equivs. | ||
return sefcontext.equiv_dist[target] | ||
except KeyError: | ||
try: | ||
# these are the local added items. | ||
return sefcontext.equiv[target] | ||
except KeyError: | ||
return None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be simplified as:
try: | |
# this is for the shipped equivs. | |
return sefcontext.equiv_dist[target] | |
except KeyError: | |
try: | |
# these are the local added items. | |
return sefcontext.equiv[target] | |
except KeyError: | |
return None | |
return sefcontext.equiv_dist.get(target, sefcontext.equiv.get(target)) |
I was making a contribution, that appears to have violated your idea of what makes a valid contribution. Quibbles over style stopping the benefit of the contribution are on you. I don't care that you make editorial changes if necessary to align with your worldview. My part is done. |
Your contribution seems to be quite valid, however this community is keen to maintain the documentation up to date and consistent, and that includes nits like formatting, punctuation and what not. Other than that, we only suggested an improvement in the code that makes it simpler and more readable. You seem to have taken the comments as personal offenses, but we make that kind of adjustments to all contributions. You are free to let this PR die as it is. I think it would be a shame, but if that's your choice, that's how it's going to be. |
Nope, nothing personal, Just an observation. If your process does not allow minor editorial changes, it's broken. |
The process allows it, of course. But this is a community: "our" community (you included), not "yours" or "mine" as your language points to. People volunteer time to this work, they don't have to do the editorial work dumped upon them, especially when it comes paired with passive-aggressive rhetoric. A different tone might have got you much further in gathering other people's help. |
Please update the PR according to the review comments. Otherwise we will close it eventually. Thanks. needs_info |
@dithotxgh This pullrequest is waiting for your response. Please respond or the pullrequest will be closed. |
Please note that in #5461 the collection repository was restructured to remove the directory tree in plugins/modules/, and the corresponding tree in tests/unit/plugins/modules/. Your PR modifies files in this directory structure, and unfortunately now has some conflicts, potentially because of this. Please rebase with the current |
@dithotxgh You have not responded to information requests in this pullrequest so we will assume it no longer affects you. If you are still interested in this, please create a new pullrequest with the requested information. |
SUMMARY
Add the ability to idempotently add and remove an fcontext
equivalence, mirroring the 'semanage fcontext --equal' operations.
This operation requires a bogus setype, or even a valid one for that
matter, as the value is unused, and I did not want to make the
conditional change to
AnsibleModule(... setype=dict(type='str', required=True), ...
New tests were added to
tests/integration/targets/sefcontext/tasks/sefcontext.yml.
During testing it was discovered that deletions using 'semanage
fcontext' do not work for an individual equivalence deletion, only
--deleteall, which blows out ALL local settings. This makes this
module an improvement over the command line tools in this case.
This should address #1193
Signed-off-by: Doug Maxey dithotxgh@github.com
ISSUE TYPE
COMPONENT NAME
community.general.sefcontext