Copilot commented on code in PR #13281:
URL: https://github.com/apache/cloudstack/pull/13281#discussion_r3323131443
##########
python/lib/cloudutils/serviceConfig.py:
##########
@@ -559,6 +561,8 @@ def __init__(self, syscfg):
self.serviceName = "SElinux"
def config(self):
+ return True
Review Comment:
Making SELinux configuration a no-op here leaves `restore()` active. On a
failed setup after this step, rollback will still run `setenforce 1`, so a host
that was intentionally permissive before setup can be switched to enforcing
even though setup no longer changed it. Please make the SELinux restore path a
no-op too, or remove this service from the agent service list.
##########
python/lib/cloudutils/serviceConfig.py:
##########
@@ -525,6 +525,8 @@ def __init__(self, syscfg):
self.serviceName = "Apparmor"
def config(self):
+ return True
Review Comment:
Making AppArmor configuration a no-op here leaves `restore()` active. If a
later setup step fails, `cloud-setup-agent` calls `syscfg.restore()`, and this
service will start/enable AppArmor even though setup no longer disabled it,
which can unexpectedly change an operator-managed host policy. Please make the
AppArmor restore path a no-op as well, or remove this service from the agent
service list entirely.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
