diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index 6d553305b4..cef7ee034a 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -445,10 +445,13 @@ AMP_element_sequence="$AMP_element_sequence sos" AMP_element_sequence="$AMP_element_sequence cloud-init-datasources" AMP_element_sequence="$AMP_element_sequence remove-default-ints" -if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then - # SELinux systems - if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then +# SELinux systems +if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then + if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then AMP_element_sequence="$AMP_element_sequence selinux-permissive" + else + # If SELinux is enforced, the amphora image requires the amphora-selinux policies + AMP_element_sequence="$AMP_element_sequence amphora-selinux" fi fi diff --git a/elements/amphora-selinux/README.rst b/elements/amphora-selinux/README.rst new file mode 100644 index 0000000000..521fcaa39d --- /dev/null +++ b/elements/amphora-selinux/README.rst @@ -0,0 +1,3 @@ +Element to install the required selinux policies for the amphora. + +Note: This element is only valid for rhel/centos 8 or newer. diff --git a/elements/amphora-selinux/element-deps b/elements/amphora-selinux/element-deps new file mode 100644 index 0000000000..73015c249e --- /dev/null +++ b/elements/amphora-selinux/element-deps @@ -0,0 +1,2 @@ +package-installs +pkg-map diff --git a/elements/amphora-selinux/package-installs.json b/elements/amphora-selinux/package-installs.json new file mode 100644 index 0000000000..eb032ef86d --- /dev/null +++ b/elements/amphora-selinux/package-installs.json @@ -0,0 +1,4 @@ +{ + "openstack-selinux": null, + "policycoreutils-python-utils": null +} diff --git a/elements/amphora-selinux/pkg-map b/elements/amphora-selinux/pkg-map new file mode 100644 index 0000000000..4be8dd2621 --- /dev/null +++ b/elements/amphora-selinux/pkg-map @@ -0,0 +1,12 @@ +{ + "family": { + "redhat": { + "openstack-selinux": "openstack-selinux", + "policycoreutils-python-utils": "policycoreutils-python-utils" + } + }, + "default": { + "openstack-selinux": "", + "policycoreutils-python-utils": "" + } +} diff --git a/elements/amphora-selinux/post-install.d/50-selinux-policies b/elements/amphora-selinux/post-install.d/50-selinux-policies new file mode 100755 index 0000000000..3642e40879 --- /dev/null +++ b/elements/amphora-selinux/post-install.d/50-selinux-policies @@ -0,0 +1,19 @@ +#!/bin/bash + +if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +enable_selinux_bool () { + policy=$1 + if semanage boolean -l | grep $policy; then + echo "Enabling $policy SELinux policy" + semanage boolean -N -m --on $policy + fi +} + +enable_selinux_bool os_haproxy_enable_nsfs +enable_selinux_bool os_haproxy_ping +enable_selinux_bool cluster_use_execmem diff --git a/releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml b/releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml new file mode 100644 index 0000000000..b82b581607 --- /dev/null +++ b/releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Enable required SELinux booleans for CentOS or RHEL amphora image.