Apply openstack-selinux policies in Centos amphorae

When enforcing SELinux, the commit enables the following SELinux
booleans:
- os_haproxy_enable_nsfs: it allows haproxy to run in a network
  namespace.
- os_haproxy_ping: it allows calls to the ping command from haproxy (for
  PING HMs)
- cluster_use_execmem

Change-Id: I4b5199d13d122b56619c4a2d21e86a06bd0dc3bf
(cherry picked from commit 3115589f21)
(cherry picked from commit 995fe216e2)
This commit is contained in:
Gregory Thiemonge 2022-05-03 14:37:51 +02:00
parent bda4d7160a
commit 044de8e52f
7 changed files with 50 additions and 3 deletions

View File

@ -445,10 +445,13 @@ AMP_element_sequence="$AMP_element_sequence sos"
AMP_element_sequence="$AMP_element_sequence cloud-init-datasources"
AMP_element_sequence="$AMP_element_sequence remove-default-ints"
if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then
# SELinux systems
if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then
# SELinux systems
if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then
if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then
AMP_element_sequence="$AMP_element_sequence selinux-permissive"
else
# If SELinux is enforced, the amphora image requires the amphora-selinux policies
AMP_element_sequence="$AMP_element_sequence amphora-selinux"
fi
fi

View File

@ -0,0 +1,3 @@
Element to install the required selinux policies for the amphora.
Note: This element is only valid for rhel/centos 8 or newer.

View File

@ -0,0 +1,2 @@
package-installs
pkg-map

View File

@ -0,0 +1,4 @@
{
"openstack-selinux": null,
"policycoreutils-python-utils": null
}

View File

@ -0,0 +1,12 @@
{
"family": {
"redhat": {
"openstack-selinux": "openstack-selinux",
"policycoreutils-python-utils": "policycoreutils-python-utils"
}
},
"default": {
"openstack-selinux": "",
"policycoreutils-python-utils": ""
}
}

View File

@ -0,0 +1,19 @@
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
enable_selinux_bool () {
policy=$1
if semanage boolean -l | grep $policy; then
echo "Enabling $policy SELinux policy"
semanage boolean -N -m --on $policy
fi
}
enable_selinux_bool os_haproxy_enable_nsfs
enable_selinux_bool os_haproxy_ping
enable_selinux_bool cluster_use_execmem

View File

@ -0,0 +1,4 @@
---
fixes:
- |
Enable required SELinux booleans for CentOS or RHEL amphora image.