Add correct SELinux context for /tftpboot and fix map-file ACL

Change-Id: If89f1506ddd345df217739bf5dbb15d18b44c096
2020-08-26 17:30:27 +02:00 · 2020-08-26 17:30:27 +02:00 · 3aacfd3226
commit 3aacfd3226
parent 1f37c41413
3 changed files with 19 additions and 1 deletions
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -412,6 +412,15 @@
        setype: http_port_t
        state: present

+    - name: "Add proper context on created data for tftpboot"
+      sefcontext:
+        target: "{{ item }}"
+        setype: tftpdir_t
+        state: present
+      loop:
+        - /tftpboot
+        - /tftpboot/pxelinux.cfg
+
    - name: "Add proper context on created data for http_boot"
      sefcontext:
        target: "{{ http_boot_folder }}(/.*)?"
--- a/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml
@ -24,7 +24,12 @@
    - "{{ http_boot_folder }}/pxelinux.cfg"

 - name: "Place tftpd map-file"
-  copy: src=tftpboot-map-file dest=/tftpboot/map-file owner=ironic group=ironic
+  copy:
+    src: tftpboot-map-file
+    dest: /tftpboot/map-file
+    owner: ironic
+    group: ironic
+    mode: 0644

 - name: "Disable service {{ tftp_service_name }}"
  service: name="{{ tftp_service_name }}" state=stopped enabled=no
--- a/releasenotes/notes/tftp-context-6f918743ba9052b0.yaml
+++ b/releasenotes/notes/tftp-context-6f918743ba9052b0.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Adds correct SELinux context for ``/tftpboot``.