From 995fe216e247a5763fc6719a0a887c9998370c30 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Tue, 3 May 2022 14:37:51 +0200 Subject: [PATCH] Apply openstack-selinux policies in Centos amphorae When enforcing SELinux, the commit enables the following SELinux booleans: - os_haproxy_enable_nsfs: it allows haproxy to run in a network namespace. - os_haproxy_ping: it allows calls to the ping command from haproxy (for PING HMs) - cluster_use_execmem Change-Id: I4b5199d13d122b56619c4a2d21e86a06bd0dc3bf (cherry picked from commit 3115589f2158bfe0196c8f9d3c105d16c35408f7) --- diskimage-create/diskimage-create.sh | 9 ++++++--- elements/amphora-selinux/README.rst | 3 +++ elements/amphora-selinux/element-deps | 2 ++ .../amphora-selinux/package-installs.json | 4 ++++ elements/amphora-selinux/pkg-map | 12 ++++++++++++ .../post-install.d/50-selinux-policies | 19 +++++++++++++++++++ ...ed-selinux-on-centos-27842ca6afbb500c.yaml | 4 ++++ 7 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 elements/amphora-selinux/README.rst create mode 100644 elements/amphora-selinux/element-deps create mode 100644 elements/amphora-selinux/package-installs.json create mode 100644 elements/amphora-selinux/pkg-map create mode 100755 elements/amphora-selinux/post-install.d/50-selinux-policies create mode 100644 releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index 6d553305b4..cef7ee034a 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -445,10 +445,13 @@ AMP_element_sequence="$AMP_element_sequence sos" AMP_element_sequence="$AMP_element_sequence cloud-init-datasources" AMP_element_sequence="$AMP_element_sequence remove-default-ints" -if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then - # SELinux systems - if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then +# SELinux systems +if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then + if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then AMP_element_sequence="$AMP_element_sequence selinux-permissive" + else + # If SELinux is enforced, the amphora image requires the amphora-selinux policies + AMP_element_sequence="$AMP_element_sequence amphora-selinux" fi fi diff --git a/elements/amphora-selinux/README.rst b/elements/amphora-selinux/README.rst new file mode 100644 index 0000000000..521fcaa39d --- /dev/null +++ b/elements/amphora-selinux/README.rst @@ -0,0 +1,3 @@ +Element to install the required selinux policies for the amphora. + +Note: This element is only valid for rhel/centos 8 or newer. diff --git a/elements/amphora-selinux/element-deps b/elements/amphora-selinux/element-deps new file mode 100644 index 0000000000..73015c249e --- /dev/null +++ b/elements/amphora-selinux/element-deps @@ -0,0 +1,2 @@ +package-installs +pkg-map diff --git a/elements/amphora-selinux/package-installs.json b/elements/amphora-selinux/package-installs.json new file mode 100644 index 0000000000..eb032ef86d --- /dev/null +++ b/elements/amphora-selinux/package-installs.json @@ -0,0 +1,4 @@ +{ + "openstack-selinux": null, + "policycoreutils-python-utils": null +} diff --git a/elements/amphora-selinux/pkg-map b/elements/amphora-selinux/pkg-map new file mode 100644 index 0000000000..4be8dd2621 --- /dev/null +++ b/elements/amphora-selinux/pkg-map @@ -0,0 +1,12 @@ +{ + "family": { + "redhat": { + "openstack-selinux": "openstack-selinux", + "policycoreutils-python-utils": "policycoreutils-python-utils" + } + }, + "default": { + "openstack-selinux": "", + "policycoreutils-python-utils": "" + } +} diff --git a/elements/amphora-selinux/post-install.d/50-selinux-policies b/elements/amphora-selinux/post-install.d/50-selinux-policies new file mode 100755 index 0000000000..3642e40879 --- /dev/null +++ b/elements/amphora-selinux/post-install.d/50-selinux-policies @@ -0,0 +1,19 @@ +#!/bin/bash + +if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +enable_selinux_bool () { + policy=$1 + if semanage boolean -l | grep $policy; then + echo "Enabling $policy SELinux policy" + semanage boolean -N -m --on $policy + fi +} + +enable_selinux_bool os_haproxy_enable_nsfs +enable_selinux_bool os_haproxy_ping +enable_selinux_bool cluster_use_execmem diff --git a/releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml b/releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml new file mode 100644 index 0000000000..b82b581607 --- /dev/null +++ b/releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Enable required SELinux booleans for CentOS or RHEL amphora image.