reconfigure will not apply SELinux contexts if none of the files that need them change
Overview
During testing of !6419 (merged) - I discovered that if a file has not changed, then SELinux contexts will not actually be run/applied during reconfigure.
We should ensure this happens so that contexts are always restored if necessary.
Original context
-
@rmarshall started a discussion: (+7 comments) I have made some adaptations to account for Amazon Linux not having
/etc/redhat-release
Package build at https://dev.gitlab.org/gitlab/omnibus-gitlab/-/pipelines/256126
What I've done:
- By default, we still use
redhat-release
- If that fails to be read, then we try
os-release
- Pass the same filter through, if this does not work, then SELinux still fails
- Adds a runtime dependency for package install for the policy coreutils package so
semanage
is present
I think this should be the safest route until we can resolve the mappings in !6419 (comment 1136645399) so that this double-read can be turned into a single read of
/etc/os-release
.The SELinux contexts are not updated, even with proper detection, I think because the templates/files exist and are not changing.
For some reason I thought it should "just work", but before I declare it something weird, I'm going to build the packages above and try a fresh install and see if contexts work. If they do, then we probably have a separate bug to address in making sure contexts get applied even when target files do not change.
- By default, we still use
Deliverables
- Evaluate the best way to ensure context is applied to files on an as-needed basis during reconfigure
- Add a
gitlab-ctl
command the re-applies contexts so administrators can fix contexts without actually needing to run reconfigure