sous-chefs
Allow override built-in fcontext
:frowning_person: Problem Statement
The selinux_fcontext::manage/modify does not allow override of built-in contexts. :add action would skip if semanage fcontext -l returns an entry, and :modify would fail if there is no such entry in the .local spec file. Hence there is no way to override a built-in context.
:grey_question: Possible Solution
The most straightforward solution is to check whether the type matches at the conditional statement. Instead of checking "if fcontext is already registered", it should check "if the desired fcontext is already registered". So the conditional check will the same as the :modify action.
:arrow_heading_up: Describe alternatives you've considered
One possibility is to clone and hack it, but that defeats the purpose of a re-usable cookbook.
:heavy_plus_sign: Additional context
I can submit a PR if the proposed solution is acceptable.
@Stromweld , please take a look at PR #120. If the approach makes sense, I will update the test cases and the rest for the PR.
Thanks
That looks good to me. I'm not very versed in selinux though. I think it'll help to add the test cases for each scenario as well as to make sure future regression isn't introduced.
Would you also be able to open PR for the same thing here https://github.com/chef/chef/blob/main/lib/chef/resource/selinux_fcontext.rb. This resource was based on this cookbooks resource. It'll help chef-client as well as cinc-client since it's based on chef-client.
@Stromweld Will do. Let me do it in 2 steps.
- Add the test case for this PR so it all good. I can use some education to make sure the proper procedures are followed.
- Then I will submit a PR to https://github.com/chef/chef/blob/main/lib/chef/resource/selinux_fcontext.rb
Thanks for the quick feedback.