Skip to content

Commit

Permalink
systemctl restart fapolicyd is the only reliable way
Browse files Browse the repository at this point in the history
  • Loading branch information
richm committed Dec 5, 2023
1 parent 40b3c9f commit df13c2c
Showing 1 changed file with 23 additions and 15 deletions.
38 changes: 23 additions & 15 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,16 @@
when: item | length > 0
changed_when: true

# The problem is that there is a race condition between calling
# fapolicyd-cli --update and when fapolicyd will actually enforce
# the policyd - so we have to look for the 'Updated' message in
# the fapolicyd logs. Also - I don't think we can move this into
# a script, because that script might be excluded by policy!
# The problem is that there is a race condition between calling `systemctl
# restart fapolicyd`` and when fapolicyd will actually enforce the policy - so
# we have to look for the right string in the fapolicyd logs. Also - I don't
# think we can move this into a script, because that script might be excluded by
# policy!
# NOTE: I tried using `fapolicyd-cli --update` as recommended by the
# documentation but it does not seem to work in all cases e.g. on RHEL 8.8 if
# you are deleting entries but not adding entries, it seems to do nothing - the
# only reliable way to update the trustdb is to restart the daemon and check for
# "fapolicyd[...]: Starting to listen for events" in the journald output
- name: Update fapolicyd db
when: fapolicyd_setup_enable_service | bool
shell:
Expand All @@ -132,25 +137,28 @@
cursor="$(journalctl -u fapolicyd -n 0 --show-cursor |
awk '/^-- cursor:/ {print $3}')" || :
done
# update trustdb
fapolicyd-cli --update
# wait until we see the message 'Updated' - wait up to 30 seconds
starttime="$(date +%s)"
systemctl restart fapolicyd
search_str='fapolicyd[^:\ ]*:\ Starting to listen for events$'
# wait until we see the search_str - wait up to 30 seconds
waittime=30 # seconds
endtime="$(expr "$starttime" + "$waittime")"
endtime="$(expr "$(date +%s)" + "$waittime")"
set +o pipefail # the read will always return a failure code at EOF
journalctl -u fapolicyd --no-tail -f --after-cursor "$cursor" | \
while read -r line; do
if [[ "$line" =~ fapolicyd[^:\ ]*:\ Updated$ ]]; then
echo SUCCESS: trustdb is updated
if [[ "$line" =~ $search_str ]]; then
echo INFO: trustdb is updated
exit 0
fi
curtime="$(date +%s)"
if [ "$curtime" -gt "$endtime" ]; then
echo ERROR: trustdb not updated after "$waittime" seconds - exiting
done & pid=$!
while ps -p "$pid"; do
if [ "$(date +%s)" -gt "$endtime" ]; then
echo ERROR: failed to update the trustdb
exit 1
fi
sleep 1
done
echo INFO: trustdb is updated
exit 0 # success
changed_when: true

- name: Making sure fapolicyd does not run if it was set so
Expand Down

0 comments on commit df13c2c

Please sign in to comment.