# Set Selinux to enforcing in downstream ###### tags: `Design` ## Current Selinux's Status in downstream:- * Ovb, Baremetal, multinode - Already have enforcing mode * Only Standalone scenarios have selinux in permissive mode. **Standalone: permissive** ~~~ https://sf.hosted.upshift.rdu2.redhat.com/logs/openstack-periodic-integration-rhos-16.2/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-rhel-8-scenario001-standalone-rhos-16.2/dc421d0/logs/undercloud/var/log/extra/selinux.txt ~~~ **Ovb: Enforcing** ~~~ Undercloud: - enforcing https://sf.hosted.upshift.rdu2.redhat.com/logs/openstack-component-baremetal/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-rhel-8-ovb-3ctlr_1comp-featureset001-internal-baremetal-rhos-16.2/676b5a5/logs/undercloud/var/log/extra/selinux.txt.gz Overcloud: enforcing https://sf.hosted.upshift.rdu2.redhat.com/logs/openstack-component-baremetal/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-rhel-8-ovb-3ctlr_1comp-featureset001-internal-baremetal-rhos-16.2/676b5a5/logs/overcloud-controller-0/var/log/extra/selinux.txt.gz ~~~ **BM: Enforcing** ~~~ Undercloud: enforcing https://sf.hosted.upshift.rdu2.redhat.com/logs/70/210870/5/check/periodic-tripleo-ci-rhel-8-bm_envB-3ctlr_1comp-featureset001-baremetal-rhos-16.2/5f66c09/logs/undercloud/var/log/extra/selinux.txt Overcloud: enforcing https://sf.hosted.upshift.rdu2.redhat.com/logs/70/210870/5/check/periodic-tripleo-ci-rhel-8-bm_envB-3ctlr_1comp-featureset001-baremetal-rhos-16.2/5f66c09/logs/overcloud-controller-0/var/log/extra/selinux.txt ~~~ **Multinode: Enforcing** ~~~ Undercloud: enforcing https://sf.hosted.upshift.rdu2.redhat.com/logs/97/210197/4/check/periodic-tripleo-ci-rhel-8-multinode-1ctlr-featureset010-rhos-16.2/cdd49dd/logs/undercloud/var/log/extra/selinux.txt Controller: enforcing https://sf.hosted.upshift.rdu2.redhat.com/logs/97/210197/4/check/periodic-tripleo-ci-rhel-8-multinode-1ctlr-featureset010-rhos-16.2/cdd49dd/logs/subnode-1/var/log/extra/selinux.txt ~~~ ## What all changes are required ~~~ http://codesearch.openstack.org/?q=selinux&i=nope&files=&repos=openstack/tripleo-ci,openstack/tripleo-quickstart,openstack/tripleo-quickstart-extras ~~~ From search looks like **we only need to change - "standalone_selinux_mode" var** ## Approaches and patches:- 2 approaches can taken:- 1) We add "standalone_selinux_mode" in downstream release file. Wip Patch is up for testing: https://code.engineering.redhat.com/gerrit/#/c/211492/ 2) We update "standalone_selinux_mode" in tqe standalone role. Patch is up(-workflow till are testing): https://review.opendev.org/#/c/751243/ Test patch: https://code.engineering.redhat.com/gerrit/#/c/211494/ ## Where are we with testing?:- Selinux + podman (We have Issues):- With old podman :- * Error - "libvirt.libvirtError: internal error: process exited while connecting to monitor: libvirt: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied" Recommendation from df was to use, Podman > 1.6.4-15 * We got podman 1.6.4-20 but some fixes are missing in 2.0-8.3.0 of container-tools https://bugzilla.redhat.com/show_bug.cgi?id=1879092 Current status: Working with lon(from reldel) With New podman * Tried podman > 1.9 with some jobs, Good success but some scenarios have issue:- As we will possibly get >1.9 with container-tools:3 I have opened a bz for octavia "Permission denied errors in octavia's driver-agent.log when selinux in enforcing mode" https://bugzilla.redhat.com/show_bug.cgi?id=1879849