Merge "Allow bifrost to work with selinux enabled"

playbooks/roles/bifrost-create-dib-image/tasks/main.yml

@@ -130,3 +130,7 @@
     recurse: yes
     state: directory
   when: http_boot_folder is defined and http_boot_folder != ''
+- name: "Restore proper context on created data for http_boot"
+  command: restorecon -R {{ http_boot_folder }}
+  when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and
+         ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing"

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml

@@ -37,6 +37,8 @@ required_packages:
   - qemu-img
   - openwsman-python
   - sgabios-bin
+  - libselinux-python
+  - policycoreutils-python
 # NOTE(cinerama): amtterm is not currently packaged for RHEL/CentOS 7.
   - libvirt-daemon
   - debootstrap

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml

@@ -16,6 +16,7 @@ virt_group: libvirt
 mysql_service_name: mysql
 tftp_service_name: tftp
 required_packages:
+  - python-selinux
   - mariadb-server
   - dnsmasq
   - rabbitmq-server
@@ -40,6 +41,7 @@ required_packages:
   - qemu-tools
   - openwsman-python
   - qemu-sgabios
+  - policycoreutils-python
 # NOTE(cinerama): amtterm is not currently packaged for SuSE.
   - libvirt-daemon
   - debootstrap

playbooks/roles/bifrost-ironic-install/files/ironic_policy.te

@@ -0,0 +1,19 @@
+module ironic_policy 1.0;
+
+require {
+        type httpd_t;
+        type root_t;
+        type default_t;
+        class file open;
+        class file read;
+        class file getattr;
+}
+
+
+#============= httpd_t ==============
+
+#!!!! This avc can be allowed using the boolean 'daemons_dump_core'
+allow httpd_t root_t:file open;
+allow httpd_t default_t:file open;
+allow httpd_t root_t:file { read getattr };
+allow httpd_t default_t:file open;

playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml

@@ -288,3 +288,33 @@
 - name: "Explicitly permit TCP/6385 for IPA callback"
   command: >
     iptables -I INPUT -p tcp --dport 6385 -i {{ network_interface }} -j ACCEPT
+- block:
+    - name: "Explicitly allow nginx and IPA port (TCP) on selinux"
+      seport:
+        ports: "{{ file_url_port }},6385"
+        proto: tcp
+        setype: http_port_t
+        state: present
+
+    - name: "Add proper context on created data for http_boot"
+      command: semanage fcontext -a -t httpd_sys_content_t "{{ http_boot_folder }}(/.*)?"
+
+    - name: Copy ironic policy file to temporary directory
+      copy:
+        src: ironic_policy.te
+        dest: /tmp/ironic_policy.te
+
+    - name: Check ironic policy module
+      command: checkmodule -M -m -o /tmp/ironic_policy.mod /tmp/ironic_policy.te
+
+    - name: Package ironic policy module
+      command: semodule_package -m /tmp/ironic_policy.mod -o /tmp/ironic_policy.pp
+
+    - name: Include ironic policy module
+      command: semodule -i /tmp/ironic_policy.pp
+
+    - name: Enable ironic policy module
+      command: semodule -e ironic_policy
+  when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and
+         ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing"
+

releasenotes/notes/deploy-with-selinux-enabled-6c155cfa8f8720c0.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - Currently bifrost deployments on RedHat/Suse systems
+    had to be performed with selinux at least in
+    permissive mode. This patch adds the right policies
+    to allow to run with selinux in enforcing mode.
+security:
+  - This increases security, because allows to run
+    on systems with selinux in enforcing mode.