openstack
/
magnum
Code Issues Proposed changes

Add a SELinux policy to relabel files in /usr/local/bin as bin_t 

There is a default policy for that in Fedora, however it doesn't
work in Atomic since /usr/local is a symlink to /var/usrlocal

Closes-Bug: 1646421
Change-Id: I4c5b836f4f76ff93a2c55f85ff6ff0cbe990bcff
This commit is contained in:
Mathieu Velten 2016-12-01 10:43:05 +01:00
parent 438c46e450
commit 9c34f928e6
4 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
magnum/drivers/common/templates/swarm/fragments/configure-selinux.sh Normal file
View File

@ -0,0 +1,12 @@
#cloud-boothook
#!/bin/sh
# files in /usr/local/bin should be labeled bin_t
# however on Atomic /usr/local is a symlink to /var/usrlocal
# so the default Fedora policy doesn't work
echo '/var/usrlocal/(.*/)?bin(/.*)? system_u:object_r:bin_t:s0' > /etc/selinux/targeted/contexts/files/file_contexts.local
restorecon -R /usr/local/bin
# disable selinux until cloud-init is over
# enabled again in enable-services.sh
setenforce 0

4
magnum/drivers/common/templates/swarm/fragments/disable-selinux.sh
View File

@ -1,4 +0,0 @@
#cloud-boothook
#!/bin/sh
setenforce 0

6
magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml
View File

@ -341,11 +341,11 @@ resources:
group: ungrouped
config: {get_file: ../../common/templates/swarm/fragments/cfn-signal.sh}
disable_selinux:
configure_selinux:
type: "OS::Heat::SoftwareConfig"
properties:
group: ungrouped
config: {get_file: ../../common/templates/swarm/fragments/disable-selinux.sh}
config: {get_file: ../../common/templates/swarm/fragments/configure-selinux.sh}
add_proxy:
type: "OS::Heat::SoftwareConfig"
@ -363,7 +363,7 @@ resources:
type: "OS::Heat::MultipartMime"
properties:
parts:
- config: {get_resource: disable_selinux}
- config: {get_resource: configure_selinux}
- config: {get_resource: remove_docker_key}
- config: {get_resource: write_heat_params}
- config: {get_resource: make_cert}

6
magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml
View File

@ -304,11 +304,11 @@ resources:
group: ungrouped
config: {get_file: ../../common/templates/swarm/fragments/cfn-signal.sh}
disable_selinux:
configure_selinux:
type: "OS::Heat::SoftwareConfig"
properties:
group: ungrouped
config: {get_file: ../../common/templates/swarm/fragments/disable-selinux.sh}
config: {get_file: ../../common/templates/swarm/fragments/configure-selinux.sh}
add_proxy:
type: "OS::Heat::SoftwareConfig"
@ -326,7 +326,7 @@ resources:
type: "OS::Heat::MultipartMime"
properties:
parts:
- config: {get_resource: disable_selinux}
- config: {get_resource: configure_selinux}
- config: {get_resource: remove_docker_key}
- config: {get_resource: write_heat_params}
- config: {get_resource: make_cert}