)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"a4d3d8ac08d778bd88c97c0679217ec3d65dc5b7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"59455e62_4168eb6e","updated":"2022-05-03 16:23:10.000000000","message":"It seems like it might be better to just create an element for Octavia that sets the required selinux policies instead of pulling in this repo and the larger RPM of policies.","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"b4e3996c6ee38e702ba6048844509a2f08e5b50c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f496053a_48fb0a42","updated":"2022-05-03 16:20:58.000000000","message":"You are going to need a element-deps to pull in the pkg-map and package-install elements","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"},{"author":{"_account_id":8161,"name":"Lon Hohberger","email":"lhh@redhat.com","username":"lon"},"change_message_id":"3b4a16e3506e729b4daaa0ab6edc3dda24ac44c8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"cfddc376_e8205fb0","in_reply_to":"59455e62_4168eb6e","updated":"2022-05-03 23:04:15.000000000","message":"I\u0027m not sure I agree on generating it over vendor-provided packaging, since there\u0027s no one set of required SELinux policies that would work. SELinux is inherently distribution-specific[1], so we\u0027d have to copy all the per-distro infrastructure in to the elements... and that seems complicated to me, when vendor packaging provides it.\n\n[1] Happy to expand as-needed, but, as a simple example, just compare SSH policies between Fedora/CentOS/RHEL and Ubuntu/SELinux Reference Policy - macros the policy files use during build differ, boolean names for the same functionality differ, type labels differ... they conflict all over the place.\n\nAll of that said, I do find it a little strange that we\u0027re automatically pulling in a new repository - I\u0027d think the DIB caller should be doing that using a predefined repo file and providing that repo file to DIB_YUM_REPO_CONF or something, but, I don\u0027t have any strong opinion about doing it the way Gregory proposed (there might be precedent).","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"},{"author":{"_account_id":8161,"name":"Lon Hohberger","email":"lhh@redhat.com","username":"lon"},"change_message_id":"3bc4da0e8a95e7738b20a580685da7e6dd49bafe","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"fbeb7e11_c5a5916c","in_reply_to":"cfddc376_e8205fb0","updated":"2022-05-03 23:06:48.000000000","message":"(I could have misunderstood what you meant, too!)","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"},{"author":{"_account_id":8161,"name":"Lon Hohberger","email":"lhh@redhat.com","username":"lon"},"change_message_id":"99b10a83bafda1e86390ec79aaa47ad32a1bc9d0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"e2dee457_21b256e1","updated":"2022-05-03 23:06:01.000000000","message":"Added Julie; she may also have opinions.","commit_id":"f479b12c6c64a8666a7c87d63b6c1ca702d9edb6"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"3d92c8c3f4a6bf4559237b4d96b93004348ececf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"d6118b1b_9ff6319e","updated":"2022-05-04 08:24:01.000000000","message":"couple of comments - pushing -1 to raise awareness about the questions/remarks. Otherwise, seems legit, and it\u0027s a good thing to be able to test SELinux on CentOS based deployments as well. Even setting it to permissive for CS would at least show real denials in the logs, leading to a better comprehension of the issues we may face downstream.\n\nThank you Greg for that work!","commit_id":"321d9d643b4ec158e837cfdccf2d5e3f80e75d9f"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"497642dda3850fd52353e0ad20ca27a814bbe45b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"46ae931a_cafea21d","updated":"2022-05-30 14:01:57.000000000","message":"Can we see that one merged? It will be useful in order to squash selinux denials without invading other locations (think \"host SELinux\" for instance) within tripleo with rules that are only for amphora/octavia.","commit_id":"d3b80bad7ed1ef7d860793ca8698e421a9988e8e"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"f8875fdcbda51e8cec0bcfdfb3d27148a9ab7341","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"e827bfef_4fa6d5d0","updated":"2022-05-04 08:49:43.000000000","message":"Sounds good!\n+1 as support 😊","commit_id":"d3b80bad7ed1ef7d860793ca8698e421a9988e8e"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"e91a1b4ab4929d67e0c204c9d230083d244af4c4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"9b74bf09_3b100f54","updated":"2022-07-22 16:13:08.000000000","message":"I see two issues here, otherwise looks good.","commit_id":"ee0bb579c54861e33868c09fa2b5fa9e9001a54e"},{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"ed1ecc878269351a9ec9ff7246c46e68e65fe2a8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"7830b6c1_0798306b","updated":"2022-07-11 14:23:33.000000000","message":"Looks good to me","commit_id":"ee0bb579c54861e33868c09fa2b5fa9e9001a54e"},{"author":{"_account_id":34429,"name":"Tom Weininger","email":"dienste@weinimo.de","username":"tweining"},"change_message_id":"a8c5cf6e1053fd56681f4664867fab3a1c5a2861","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"4030ed2c_1712eaa7","updated":"2022-07-11 13:53:44.000000000","message":"recheck ModuleNotFoundError: No module named \u0027webtest\u0027 error is fixed","commit_id":"ee0bb579c54861e33868c09fa2b5fa9e9001a54e"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"3b0dad44f5ad5951dfb72324567b17f5ec9ddf51","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"c5c0cbf3_106587d9","updated":"2022-07-06 10:17:54.000000000","message":"waiting for https://github.com/redhat-openstack/openstack-selinux/pull/95 to get merged","commit_id":"ee0bb579c54861e33868c09fa2b5fa9e9001a54e"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"ad67d0931b0f62d8688a6dd5d00b8274e198d1ed","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"f5d9b18f_c4d73ac2","updated":"2022-08-18 05:54:41.000000000","message":"-1 due to the optional side of amphora-selinux element - we should call it in any cases.","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"2fe765c78bec42180cbd94a2fc6ddd3b3895fa27","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"90615165_3e89d299","updated":"2022-08-17 15:22:34.000000000","message":"-1 to clarify, I think my last comment about the missing package dependency for semanage is still valid and unresolved.","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"77aa18aaebbd7a69c287efa77d2eb505fd3d468e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"b4f57b5c_39377c5d","updated":"2022-08-18 15:14:59.000000000","message":"policycoreutils-python-utils is called out in the pkg-map, so semanage tool is called out as a dependency.","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"}],"diskimage-create/diskimage-create.sh":[{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"ad67d0931b0f62d8688a6dd5d00b8274e198d1ed","unresolved":true,"context_lines":[{"line_number":453,"context_line":"        AMP_element_sequence\u003d\"$AMP_element_sequence selinux-permissive\""},{"line_number":454,"context_line":"    else"},{"line_number":455,"context_line":"        # If SELinux is enforced, the amphora image requires the amphora-selinux policies"},{"line_number":456,"context_line":"        AMP_element_sequence\u003d\"$AMP_element_sequence amphora-selinux\""},{"line_number":457,"context_line":"    fi"},{"line_number":458,"context_line":"fi"},{"line_number":459,"context_line":""}],"source_content_type":"text/x-sh","patch_set":9,"id":"99404714_a203fe1a","line":456,"range":{"start_line":456,"start_character":0,"end_line":456,"end_character":67},"updated":"2022-08-18 05:54:41.000000000","message":"Here, we\u0027re pointing to an element, not a package - this is probably the source of confusion.","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"ad67d0931b0f62d8688a6dd5d00b8274e198d1ed","unresolved":true,"context_lines":[{"line_number":449,"context_line":""},{"line_number":450,"context_line":"# SELinux systems"},{"line_number":451,"context_line":"if [ \"${AMP_BASEOS}\" \u003d \"centos-minimal\" ] || [ \"${AMP_BASEOS}\" \u003d \"fedora\" ] || [ \"${AMP_BASEOS}\" \u003d \"rhel\" ]; then"},{"line_number":452,"context_line":"    if [ \"$AMP_ENABLE_FULL_MAC_SECURITY\" -ne 1 ]; then"},{"line_number":453,"context_line":"        AMP_element_sequence\u003d\"$AMP_element_sequence selinux-permissive\""},{"line_number":454,"context_line":"    else"},{"line_number":455,"context_line":"        # If SELinux is enforced, the amphora image requires the amphora-selinux policies"},{"line_number":456,"context_line":"        AMP_element_sequence\u003d\"$AMP_element_sequence amphora-selinux\""},{"line_number":457,"context_line":"    fi"},{"line_number":458,"context_line":"fi"},{"line_number":459,"context_line":""},{"line_number":460,"context_line":"# Disable the dnf makecache timer"}],"source_content_type":"text/x-sh","patch_set":9,"id":"d3b56295_02bd99fc","line":457,"range":{"start_line":452,"start_character":0,"end_line":457,"end_character":6},"updated":"2022-08-18 05:54:41.000000000","message":"IMHO we should use the amphora-selinux element even if it\u0027s in permissive. This will allow to get actual denials in case of debugging.","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"22620d883d3d9215b0e078a63df8e96092f4b059","unresolved":true,"context_lines":[{"line_number":449,"context_line":""},{"line_number":450,"context_line":"# SELinux systems"},{"line_number":451,"context_line":"if [ \"${AMP_BASEOS}\" \u003d \"centos-minimal\" ] || [ \"${AMP_BASEOS}\" \u003d \"fedora\" ] || [ \"${AMP_BASEOS}\" \u003d \"rhel\" ]; then"},{"line_number":452,"context_line":"    if [ \"$AMP_ENABLE_FULL_MAC_SECURITY\" -ne 1 ]; then"},{"line_number":453,"context_line":"        AMP_element_sequence\u003d\"$AMP_element_sequence selinux-permissive\""},{"line_number":454,"context_line":"    else"},{"line_number":455,"context_line":"        # If SELinux is enforced, the amphora image requires the amphora-selinux policies"},{"line_number":456,"context_line":"        AMP_element_sequence\u003d\"$AMP_element_sequence amphora-selinux\""},{"line_number":457,"context_line":"    fi"},{"line_number":458,"context_line":"fi"},{"line_number":459,"context_line":""},{"line_number":460,"context_line":"# Disable the dnf makecache timer"}],"source_content_type":"text/x-sh","patch_set":9,"id":"5fc9783d_792a33e7","line":457,"range":{"start_line":452,"start_character":0,"end_line":457,"end_character":6},"in_reply_to":"999d701e_14a2a478","updated":"2022-08-18 06:08:18.000000000","message":"well, that would prevent any debugging capabilities... Not sure this is the right approach, but that\u0027s probably something in amphora history.\n\nIf anyone wants to bypass the -1, so be it.","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"96f9103221a6f627e1b5c220241197876c4f3eb4","unresolved":true,"context_lines":[{"line_number":449,"context_line":""},{"line_number":450,"context_line":"# SELinux systems"},{"line_number":451,"context_line":"if [ \"${AMP_BASEOS}\" \u003d \"centos-minimal\" ] || [ \"${AMP_BASEOS}\" \u003d \"fedora\" ] || [ \"${AMP_BASEOS}\" \u003d \"rhel\" ]; then"},{"line_number":452,"context_line":"    if [ \"$AMP_ENABLE_FULL_MAC_SECURITY\" -ne 1 ]; then"},{"line_number":453,"context_line":"        AMP_element_sequence\u003d\"$AMP_element_sequence selinux-permissive\""},{"line_number":454,"context_line":"    else"},{"line_number":455,"context_line":"        # If SELinux is enforced, the amphora image requires the amphora-selinux policies"},{"line_number":456,"context_line":"        AMP_element_sequence\u003d\"$AMP_element_sequence amphora-selinux\""},{"line_number":457,"context_line":"    fi"},{"line_number":458,"context_line":"fi"},{"line_number":459,"context_line":""},{"line_number":460,"context_line":"# Disable the dnf makecache timer"}],"source_content_type":"text/x-sh","patch_set":9,"id":"999d701e_14a2a478","line":457,"range":{"start_line":452,"start_character":0,"end_line":457,"end_character":6},"in_reply_to":"d3b56295_02bd99fc","updated":"2022-08-18 06:05:22.000000000","message":"There\u0027s one issue with this:\nWe don\u0027t want to force users to add the RDO repositories and openstack-selinux is only available through RDO\nAdding the amphora-selinux element in permissive would break the build of the amphora image for these Centos users.","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"}],"elements/amphora-selinux/pkg-map":[{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"eeb063a2b09ff1a700365a800bca40ed166664b9","unresolved":true,"context_lines":[{"line_number":1,"context_line":"{"},{"line_number":2,"context_line":"    \"family\": {"},{"line_number":3,"context_line":"      \"redhat\": {"},{"line_number":4,"context_line":"        \"openstack-selinux\": \"openstack-selinux\","},{"line_number":5,"context_line":"        \"policycoreutils-python-utils\": \"policycoreutils-python-utils\""},{"line_number":6,"context_line":"      }"},{"line_number":7,"context_line":"    },"}],"source_content_type":"application/octet-stream","patch_set":9,"id":"484aae48_dd512058","line":4,"range":{"start_line":4,"start_character":9,"end_line":4,"end_character":47},"updated":"2022-08-17 15:20:38.000000000","message":"Just to make sure: shouldn\u0027t it be amphora-selinux?","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"ad67d0931b0f62d8688a6dd5d00b8274e198d1ed","unresolved":true,"context_lines":[{"line_number":1,"context_line":"{"},{"line_number":2,"context_line":"    \"family\": {"},{"line_number":3,"context_line":"      \"redhat\": {"},{"line_number":4,"context_line":"        \"openstack-selinux\": \"openstack-selinux\","},{"line_number":5,"context_line":"        \"policycoreutils-python-utils\": \"policycoreutils-python-utils\""},{"line_number":6,"context_line":"      }"},{"line_number":7,"context_line":"    },"}],"source_content_type":"application/octet-stream","patch_set":9,"id":"b0fdbf24_0c57a750","line":4,"range":{"start_line":4,"start_character":9,"end_line":4,"end_character":47},"in_reply_to":"484aae48_dd512058","updated":"2022-08-18 05:54:41.000000000","message":"afaik there\u0027s no \"amphora-selinux\" package - only booleans that are disabled by default.","commit_id":"3115589f2158bfe0196c8f9d3c105d16c35408f7"}],"elements/openstack-selinux/install.d/10-openstack-selinux":[{"author":{"_account_id":8161,"name":"Lon Hohberger","email":"lhh@redhat.com","username":"lon"},"change_message_id":"d41a14e56d07777af38aa888b8a4e840083e0c92","unresolved":true,"context_lines":[{"line_number":17,"context_line":"        curl -o /etc/yum.repos.d/delorean.repo https://trunk.rdoproject.org/centos9-master/current/delorean.repo"},{"line_number":18,"context_line":"    fi"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"    dnf install -y openstack-selinux"},{"line_number":21,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"bfeb841c_1a480a8c","line":20,"updated":"2022-05-03 14:39:10.000000000","message":"Curious as to why this was done in this manner instead of just using existing DIB pkg-map infrastructure?\n\n(this isn\u0027t why I\u0027m noting -1; I\u0027m curious)","commit_id":"8d0ffb8cee9cbcd8a83c11a40ed0004a288f7c82"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"4352e8d187c2ae305727d642591a3329800017c7","unresolved":false,"context_lines":[{"line_number":17,"context_line":"        curl -o /etc/yum.repos.d/delorean.repo https://trunk.rdoproject.org/centos9-master/current/delorean.repo"},{"line_number":18,"context_line":"    fi"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"    dnf install -y openstack-selinux"},{"line_number":21,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"1d6f8aae_8622e7de","line":20,"in_reply_to":"83a6b470_44b93cdf","updated":"2022-05-03 15:50:39.000000000","message":"Updated, it looks ok","commit_id":"8d0ffb8cee9cbcd8a83c11a40ed0004a288f7c82"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"b6f6591f40cc6d6a5c4eb2bdcdc7758c23c5d315","unresolved":true,"context_lines":[{"line_number":17,"context_line":"        curl -o /etc/yum.repos.d/delorean.repo https://trunk.rdoproject.org/centos9-master/current/delorean.repo"},{"line_number":18,"context_line":"    fi"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"    dnf install -y openstack-selinux"},{"line_number":21,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"c5f0bcb7_64616ef9","line":20,"in_reply_to":"bfeb841c_1a480a8c","updated":"2022-05-03 14:47:03.000000000","message":"good question, I\u0027m not sure of the order of the tasks in dib (we need to add the repo first)\nDo you think it would work if we add the repo in pre-install.d then use the pkg-map?","commit_id":"8d0ffb8cee9cbcd8a83c11a40ed0004a288f7c82"},{"author":{"_account_id":8161,"name":"Lon Hohberger","email":"lhh@redhat.com","username":"lon"},"change_message_id":"5e4f09f3c1addd4e7d20ff7623c7e4db0bc67add","unresolved":true,"context_lines":[{"line_number":17,"context_line":"        curl -o /etc/yum.repos.d/delorean.repo https://trunk.rdoproject.org/centos9-master/current/delorean.repo"},{"line_number":18,"context_line":"    fi"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"    dnf install -y openstack-selinux"},{"line_number":21,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"83a6b470_44b93cdf","line":20,"in_reply_to":"c5f0bcb7_64616ef9","updated":"2022-05-03 14:54:50.000000000","message":"I believe that should work, yes. We can ask Alan or Bob; they should know for sure.","commit_id":"8d0ffb8cee9cbcd8a83c11a40ed0004a288f7c82"}],"elements/openstack-selinux/pkg-map":[{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"a4d3d8ac08d778bd88c97c0679217ec3d65dc5b7","unresolved":true,"context_lines":[{"line_number":11,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":12,"context_line":"        },"},{"line_number":13,"context_line":"        \"redhat\": {"},{"line_number":14,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":15,"context_line":"        }"},{"line_number":16,"context_line":"    }"},{"line_number":17,"context_line":"}"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"595abb19_14a6467d","line":14,"updated":"2022-05-03 16:23:10.000000000","message":"It\u0027s not needed here too?","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"314f2c1a3a9ae44082de9441fcc058f181b00754","unresolved":true,"context_lines":[{"line_number":11,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":12,"context_line":"        },"},{"line_number":13,"context_line":"        \"redhat\": {"},{"line_number":14,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":15,"context_line":"        }"},{"line_number":16,"context_line":"    }"},{"line_number":17,"context_line":"}"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"fe9256dd_6fe5f318","line":14,"in_reply_to":"08d51fb7_9d2f2b0c","updated":"2022-05-04 05:46:07.000000000","message":"openstack-selinux is already installed by the rhel-common element only if the package exists:\nhttps://opendev.org/openstack/diskimage-builder/src/branch/master/diskimage_builder/elements/rhel-common/install.d/10-openstack-selinux-rhel#L13\n\nI\u0027m not sure that adding it here wouldn\u0027t break rhel images in case the package is not available","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"},{"author":{"_account_id":8161,"name":"Lon Hohberger","email":"lhh@redhat.com","username":"lon"},"change_message_id":"3b4a16e3506e729b4daaa0ab6edc3dda24ac44c8","unresolved":true,"context_lines":[{"line_number":11,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":12,"context_line":"        },"},{"line_number":13,"context_line":"        \"redhat\": {"},{"line_number":14,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":15,"context_line":"        }"},{"line_number":16,"context_line":"    }"},{"line_number":17,"context_line":"}"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"08d51fb7_9d2f2b0c","line":14,"in_reply_to":"595abb19_14a6467d","updated":"2022-05-03 23:04:15.000000000","message":"Yes, it\u0027s definitely needed here - or will be, really soon.","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"},{"author":{"_account_id":8161,"name":"Lon Hohberger","email":"lhh@redhat.com","username":"lon"},"change_message_id":"13beb2d30315bc2b8150ca8b68577ba3929a1320","unresolved":false,"context_lines":[{"line_number":11,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":12,"context_line":"        },"},{"line_number":13,"context_line":"        \"redhat\": {"},{"line_number":14,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":15,"context_line":"        }"},{"line_number":16,"context_line":"    }"},{"line_number":17,"context_line":"}"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"38fc46ef_50846da3","line":14,"in_reply_to":"d0724adc_4bc5b393","updated":"2022-05-04 13:46:40.000000000","message":"Thanks for clarification, Gregory - I had forgotten that rhel-common did this for us.","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"ed160b3451bc69b59699a97a26866a929ce644b9","unresolved":false,"context_lines":[{"line_number":11,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":12,"context_line":"        },"},{"line_number":13,"context_line":"        \"redhat\": {"},{"line_number":14,"context_line":"            \"openstack-selinux\": \"\""},{"line_number":15,"context_line":"        }"},{"line_number":16,"context_line":"    }"},{"line_number":17,"context_line":"}"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"d0724adc_4bc5b393","line":14,"in_reply_to":"fe9256dd_6fe5f318","updated":"2022-05-04 08:34:18.000000000","message":"anyways, in our case, it\u0027s probably safe to add the package for any redhat-based distrib","commit_id":"575fe9fa83764b04de13fee6a61e541a2d68e9c0"}],"elements/openstack-selinux/post-install.d/50-selinux-policies":[{"author":{"_account_id":8161,"name":"Lon Hohberger","email":"lhh@redhat.com","username":"lon"},"change_message_id":"d41a14e56d07777af38aa888b8a4e840083e0c92","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"if semanage boolean -l | grep os_haproxy_enable_nsfs; then"},{"line_number":10,"context_line":"    echo \"Enabling os_haproxy_enable_nsfs SELinux policy\""},{"line_number":11,"context_line":"    semanage boolean -m --on os_haproxy_enable_nsfs"},{"line_number":12,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"0ca14fb7_e38dfe2b","line":11,"updated":"2022-05-03 14:39:10.000000000","message":"You\u0027ll need to use \u0027-N\u0027 in chroots such as in DIB - \n\n   semanage boolean -N -m ...\n\nOtherwise, semanage will try to modify the running kernel\u0027s boolean (which we don\u0027t want; we want it to modify the one on disk in the chroot during the image build). Here\u0027s how openstack-selinux avoids doing it:\n\n   https://github.com/redhat-openstack/openstack-selinux/blob/master/local_settings.sh.in#L237\n\nAlso, I\u0027m not 100% sure you can look at what booleans are installed in the chroot in this way, or whether you can do it at all.","commit_id":"8d0ffb8cee9cbcd8a83c11a40ed0004a288f7c82"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"b6f6591f40cc6d6a5c4eb2bdcdc7758c23c5d315","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"if semanage boolean -l | grep os_haproxy_enable_nsfs; then"},{"line_number":10,"context_line":"    echo \"Enabling os_haproxy_enable_nsfs SELinux policy\""},{"line_number":11,"context_line":"    semanage boolean -m --on os_haproxy_enable_nsfs"},{"line_number":12,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"68383ba4_57524708","line":11,"in_reply_to":"0ca14fb7_e38dfe2b","updated":"2022-05-03 14:47:03.000000000","message":"ack, I\u0027ll fix it","commit_id":"8d0ffb8cee9cbcd8a83c11a40ed0004a288f7c82"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"3d92c8c3f4a6bf4559237b4d96b93004348ececf","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"if semanage boolean -l | grep os_haproxy_enable_nsfs; then"},{"line_number":10,"context_line":"    echo \"Enabling os_haproxy_enable_nsfs SELinux policy\""},{"line_number":11,"context_line":"    semanage boolean -N -m --on os_haproxy_enable_nsfs"},{"line_number":12,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"a4c535dc_fb835e22","line":11,"range":{"start_line":11,"start_character":13,"end_line":11,"end_character":54},"updated":"2022-05-04 08:24:01.000000000","message":"Why \"-N\" ? not sure about the actual impact with that option :/.","commit_id":"321d9d643b4ec158e837cfdccf2d5e3f80e75d9f"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"ed160b3451bc69b59699a97a26866a929ce644b9","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"if semanage boolean -l | grep os_haproxy_enable_nsfs; then"},{"line_number":10,"context_line":"    echo \"Enabling os_haproxy_enable_nsfs SELinux policy\""},{"line_number":11,"context_line":"    semanage boolean -N -m --on os_haproxy_enable_nsfs"},{"line_number":12,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"efb37a01_559289c8","line":11,"range":{"start_line":11,"start_character":13,"end_line":11,"end_character":54},"in_reply_to":"a4c535dc_fb835e22","updated":"2022-05-04 08:34:18.000000000","message":"-N is \"Do not reload policy after commit\"\nhttps://man7.org/linux/man-pages/man8/semanage-boolean.8.html\n\nAs we are building an image in a chroot here, we don\u0027t need to update the selinux policies of the host","commit_id":"321d9d643b4ec158e837cfdccf2d5e3f80e75d9f"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"f8875fdcbda51e8cec0bcfdfb3d27148a9ab7341","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"if semanage boolean -l | grep os_haproxy_enable_nsfs; then"},{"line_number":10,"context_line":"    echo \"Enabling os_haproxy_enable_nsfs SELinux policy\""},{"line_number":11,"context_line":"    semanage boolean -N -m --on os_haproxy_enable_nsfs"},{"line_number":12,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"eb597b21_812b3897","line":11,"range":{"start_line":11,"start_character":13,"end_line":11,"end_character":54},"in_reply_to":"efb37a01_559289c8","updated":"2022-05-04 08:49:43.000000000","message":"Ack","commit_id":"321d9d643b4ec158e837cfdccf2d5e3f80e75d9f"},{"author":{"_account_id":4978,"name":"Julie Pichon","email":"jpichon@redhat.com","username":"jpichon"},"change_message_id":"3a6d0dc01a1ca805e1eeaf431fbd8ebade17d51a","unresolved":true,"context_lines":[{"line_number":6,"context_line":"set -eu"},{"line_number":7,"context_line":"set -o pipefail"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"if semanage boolean -l | grep os_haproxy_enable_nsfs; then"},{"line_number":10,"context_line":"    echo \"Enabling os_haproxy_enable_nsfs SELinux policy\""},{"line_number":11,"context_line":"    semanage boolean -N -m --on os_haproxy_enable_nsfs"},{"line_number":12,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":6,"id":"34624ded_aad82bcd","line":9,"updated":"2022-05-04 09:20:59.000000000","message":"I think we\u0027re okay because of the \"if [ \"${AMP_BASEOS}\" \u003d \"centos-minimal\" ] || [ \"${AMP_BASEOS}\" \u003d \"fedora\" ] || [ \"${AMP_BASEOS}\" \u003d \"rhel\" ];\" in diskimage-create.sh, but just checking to make sure I understand correctly: this will only be installed on redhat-based systems, so we don\u0027t need to worry about whether the \u0027semanage\u0027 command exists, right?\n\nBeside this question, this looks good to me!","commit_id":"d3b80bad7ed1ef7d860793ca8698e421a9988e8e"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"742e954a05e9f9bf6338b77cb50535dab27a34c2","unresolved":true,"context_lines":[{"line_number":6,"context_line":"set -eu"},{"line_number":7,"context_line":"set -o pipefail"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"if semanage boolean -l | grep os_haproxy_enable_nsfs; then"},{"line_number":10,"context_line":"    echo \"Enabling os_haproxy_enable_nsfs SELinux policy\""},{"line_number":11,"context_line":"    semanage boolean -N -m --on os_haproxy_enable_nsfs"},{"line_number":12,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":6,"id":"9be16ae2_3692d120","line":9,"in_reply_to":"34624ded_aad82bcd","updated":"2022-05-04 09:29:34.000000000","message":"that\u0027s a fair question, checking in the logs, the package that provides semanage (policycoreutils-python-utils) is installed by the redhat-common dependency:\n\n\u003e Map install for redhat-common: lsof, tcpdump, traceroute, which, ca-certificates, selinux-policy, selinux-policy-targeted, python3-libselinux, python3-policycoreutils, policycoreutils-python-utils, rng-tools\n\nNot sure if we need to add it explicitly in this element","commit_id":"d3b80bad7ed1ef7d860793ca8698e421a9988e8e"},{"author":{"_account_id":4978,"name":"Julie Pichon","email":"jpichon@redhat.com","username":"jpichon"},"change_message_id":"af1cd95eb11e16a70906ad88e48755f6c9a52692","unresolved":false,"context_lines":[{"line_number":6,"context_line":"set -eu"},{"line_number":7,"context_line":"set -o pipefail"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"if semanage boolean -l | grep os_haproxy_enable_nsfs; then"},{"line_number":10,"context_line":"    echo \"Enabling os_haproxy_enable_nsfs SELinux policy\""},{"line_number":11,"context_line":"    semanage boolean -N -m --on os_haproxy_enable_nsfs"},{"line_number":12,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":6,"id":"8b40cf4a_44d2ab81","line":9,"in_reply_to":"9be16ae2_3692d120","updated":"2022-05-04 12:12:30.000000000","message":"Makes sense, thanks!","commit_id":"d3b80bad7ed1ef7d860793ca8698e421a9988e8e"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"e91a1b4ab4929d67e0c204c9d230083d244af4c4","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"62620dfc_e2799654","updated":"2022-07-22 16:13:08.000000000","message":"I think this element should be in the amphora namespace instead of openstack to avoid a potential element conflict with DIB elements.\n\"openstack-selinux\" -\u003e \"amphora-selinux\"","commit_id":"ee0bb579c54861e33868c09fa2b5fa9e9001a54e"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"e91a1b4ab4929d67e0c204c9d230083d244af4c4","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"enable_selinux_bool () {"},{"line_number":10,"context_line":"    policy\u003d$1"},{"line_number":11,"context_line":"    if semanage boolean -l | grep $policy; then"},{"line_number":12,"context_line":"        echo \"Enabling $policy SELinux policy\""},{"line_number":13,"context_line":"        semanage boolean -N -m --on $policy"},{"line_number":14,"context_line":"    fi"}],"source_content_type":"application/x-shellscript","patch_set":7,"id":"77a8b0e0_a6c39d22","line":11,"updated":"2022-07-22 16:13:08.000000000","message":"I think we need to declare in this element that semanage is required for the element.","commit_id":"ee0bb579c54861e33868c09fa2b5fa9e9001a54e"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"ad67d0931b0f62d8688a6dd5d00b8274e198d1ed","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"enable_selinux_bool () {"},{"line_number":10,"context_line":"    policy\u003d$1"},{"line_number":11,"context_line":"    if semanage boolean -l | grep $policy; then"},{"line_number":12,"context_line":"        echo \"Enabling $policy SELinux policy\""},{"line_number":13,"context_line":"        semanage boolean -N -m --on $policy"},{"line_number":14,"context_line":"    fi"}],"source_content_type":"application/x-shellscript","patch_set":7,"id":"6aabe235_fbb8cb47","line":11,"in_reply_to":"77a8b0e0_a6c39d22","updated":"2022-08-18 05:54:41.000000000","message":"semanage comes as a dependency of libselinux; and libselinux comes as a dependency of openstack-selinux (and any other -selinux package afaik).\n\nDependency tree is clean imho, no need to do anything more.","commit_id":"ee0bb579c54861e33868c09fa2b5fa9e9001a54e"}],"elements/openstack-selinux/pre-install.d/10-openstack-selinux":[{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"3d92c8c3f4a6bf4559237b4d96b93004348ececf","unresolved":true,"context_lines":[{"line_number":14,"context_line":"        dnf install -y centos-release-openstack-${release}"},{"line_number":15,"context_line":"    else"},{"line_number":16,"context_line":"        # Get latest repo for master"},{"line_number":17,"context_line":"        # TODO(gthiemonge) we need revisit this line when centos bumps its major version number"},{"line_number":18,"context_line":"        curl -o /etc/yum.repos.d/delorean.repo https://trunk.rdoproject.org/centos9-master/current/delorean.repo"},{"line_number":19,"context_line":"    fi"},{"line_number":20,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"5f287410_80da5b5b","line":17,"range":{"start_line":17,"start_character":0,"end_line":17,"end_character":1},"updated":"2022-05-04 08:24:01.000000000","message":"isn\u0027t that major release number available as a parameter? Apparently, if DIB doesn\u0027t provide it (I\u0027m pretty sure there IS a DIB_* thingy), one may try to parse this semi-colon separated file:\ncat /etc/system-release-cpe\ncpe:/o:centos:centos:9\n\nNot sure about its availability on older releases though. It comes from the \"centos-stream-9\" package. So it should probably exist for cs8, and later for cs10.","commit_id":"321d9d643b4ec158e837cfdccf2d5e3f80e75d9f"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"ed160b3451bc69b59699a97a26866a929ce644b9","unresolved":true,"context_lines":[{"line_number":14,"context_line":"        dnf install -y centos-release-openstack-${release}"},{"line_number":15,"context_line":"    else"},{"line_number":16,"context_line":"        # Get latest repo for master"},{"line_number":17,"context_line":"        # TODO(gthiemonge) we need revisit this line when centos bumps its major version number"},{"line_number":18,"context_line":"        curl -o /etc/yum.repos.d/delorean.repo https://trunk.rdoproject.org/centos9-master/current/delorean.repo"},{"line_number":19,"context_line":"    fi"},{"line_number":20,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"9f7a8d9b_eeb2fa59","line":17,"range":{"start_line":17,"start_character":0,"end_line":17,"end_character":1},"in_reply_to":"5f287410_80da5b5b","updated":"2022-05-04 08:34:18.000000000","message":"there\u0027s a DIB_RELEASE env var, its value is \"9-stream\"\nI can parse it to point to the correct repo","commit_id":"321d9d643b4ec158e837cfdccf2d5e3f80e75d9f"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"f65456829181af86ad6374dea988f69e0f5d6a38","unresolved":false,"context_lines":[{"line_number":14,"context_line":"        dnf install -y centos-release-openstack-${release}"},{"line_number":15,"context_line":"    else"},{"line_number":16,"context_line":"        # Get latest repo for master"},{"line_number":17,"context_line":"        # TODO(gthiemonge) we need revisit this line when centos bumps its major version number"},{"line_number":18,"context_line":"        curl -o /etc/yum.repos.d/delorean.repo https://trunk.rdoproject.org/centos9-master/current/delorean.repo"},{"line_number":19,"context_line":"    fi"},{"line_number":20,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"0c3bd023_cdf1a863","line":17,"range":{"start_line":17,"start_character":0,"end_line":17,"end_character":1},"in_reply_to":"9f7a8d9b_eeb2fa59","updated":"2022-05-04 08:45:50.000000000","message":"done","commit_id":"321d9d643b4ec158e837cfdccf2d5e3f80e75d9f"}]}