From 8210ff3696a82293e554f28f46b978bba9496db1 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Thu, 16 Jul 2020 17:58:30 +0200 Subject: [PATCH] selinux: allow nginx to read symbolic links This is required to support netboot (which is off by default, but is useful together with the netboot fallback). Change-Id: I4d7640a24fac9fca2c24bc06fcedff400d74ed8d --- .../roles/bifrost-ironic-install/files/ironic_policy.te | 4 +++- releasenotes/notes/selinux-lnk_file-527ac51c60f9c2ad.yaml | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/selinux-lnk_file-527ac51c60f9c2ad.yaml diff --git a/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te b/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te index 7eecd29ff..b58082dde 100644 --- a/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te +++ b/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te @@ -7,13 +7,15 @@ require { class file open; class file read; class file getattr; + class lnk_file read; } #============= httpd_t ============== -#!!!! This avc can be allowed using the boolean 'daemons_dump_core' allow httpd_t root_t:file open; allow httpd_t default_t:file open; allow httpd_t root_t:file { read getattr }; allow httpd_t default_t:file { read getattr }; +allow httpd_t root_t:lnk_file read; +allow httpd_t default_t:lnk_file read; diff --git a/releasenotes/notes/selinux-lnk_file-527ac51c60f9c2ad.yaml b/releasenotes/notes/selinux-lnk_file-527ac51c60f9c2ad.yaml new file mode 100644 index 000000000..f89d6fe0b --- /dev/null +++ b/releasenotes/notes/selinux-lnk_file-527ac51c60f9c2ad.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + On systems with SELinux enforcing, enables nginx to read symbolic links. + Fixes network boot of instances.