Apply openstack-selinux policies in Centos amphorae
When enforcing SELinux, the commit enables the following SELinux booleans: - os_haproxy_enable_nsfs: it allows haproxy to run in a network namespace. - os_haproxy_ping: it allows calls to the ping command from haproxy (for PING HMs) - cluster_use_execmem Change-Id: I4b5199d13d122b56619c4a2d21e86a06bd0dc3bf (cherry picked from commit3115589f21
) (cherry picked from commit995fe216e2
)
This commit is contained in:
parent
bda4d7160a
commit
044de8e52f
@ -445,10 +445,13 @@ AMP_element_sequence="$AMP_element_sequence sos"
|
||||
AMP_element_sequence="$AMP_element_sequence cloud-init-datasources"
|
||||
AMP_element_sequence="$AMP_element_sequence remove-default-ints"
|
||||
|
||||
if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then
|
||||
# SELinux systems
|
||||
if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then
|
||||
# SELinux systems
|
||||
if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then
|
||||
if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then
|
||||
AMP_element_sequence="$AMP_element_sequence selinux-permissive"
|
||||
else
|
||||
# If SELinux is enforced, the amphora image requires the amphora-selinux policies
|
||||
AMP_element_sequence="$AMP_element_sequence amphora-selinux"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
3
elements/amphora-selinux/README.rst
Normal file
3
elements/amphora-selinux/README.rst
Normal file
@ -0,0 +1,3 @@
|
||||
Element to install the required selinux policies for the amphora.
|
||||
|
||||
Note: This element is only valid for rhel/centos 8 or newer.
|
2
elements/amphora-selinux/element-deps
Normal file
2
elements/amphora-selinux/element-deps
Normal file
@ -0,0 +1,2 @@
|
||||
package-installs
|
||||
pkg-map
|
4
elements/amphora-selinux/package-installs.json
Normal file
4
elements/amphora-selinux/package-installs.json
Normal file
@ -0,0 +1,4 @@
|
||||
{
|
||||
"openstack-selinux": null,
|
||||
"policycoreutils-python-utils": null
|
||||
}
|
12
elements/amphora-selinux/pkg-map
Normal file
12
elements/amphora-selinux/pkg-map
Normal file
@ -0,0 +1,12 @@
|
||||
{
|
||||
"family": {
|
||||
"redhat": {
|
||||
"openstack-selinux": "openstack-selinux",
|
||||
"policycoreutils-python-utils": "policycoreutils-python-utils"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"openstack-selinux": "",
|
||||
"policycoreutils-python-utils": ""
|
||||
}
|
||||
}
|
19
elements/amphora-selinux/post-install.d/50-selinux-policies
Executable file
19
elements/amphora-selinux/post-install.d/50-selinux-policies
Executable file
@ -0,0 +1,19 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
enable_selinux_bool () {
|
||||
policy=$1
|
||||
if semanage boolean -l | grep $policy; then
|
||||
echo "Enabling $policy SELinux policy"
|
||||
semanage boolean -N -m --on $policy
|
||||
fi
|
||||
}
|
||||
|
||||
enable_selinux_bool os_haproxy_enable_nsfs
|
||||
enable_selinux_bool os_haproxy_ping
|
||||
enable_selinux_bool cluster_use_execmem
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Enable required SELinux booleans for CentOS or RHEL amphora image.
|
Loading…
Reference in New Issue
Block a user