Apply openstack-selinux policies in Centos amphorae

When enforcing SELinux, the commit enables the following SELinux
booleans:
- os_haproxy_enable_nsfs: it allows haproxy to run in a network
  namespace.
- os_haproxy_ping: it allows calls to the ping command from haproxy (for
  PING HMs)
- cluster_use_execmem

Change-Id: I4b5199d13d122b56619c4a2d21e86a06bd0dc3bf
(cherry picked from commit 3115589f21)

diskimage-create/diskimage-create.sh

@@ -445,10 +445,13 @@ AMP_element_sequence="$AMP_element_sequence sos"
 AMP_element_sequence="$AMP_element_sequence cloud-init-datasources"
 AMP_element_sequence="$AMP_element_sequence remove-default-ints"
 
-if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then
+# SELinux systems
-    # SELinux systems
+if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then
-    if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then
+    if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then
         AMP_element_sequence="$AMP_element_sequence selinux-permissive"
+    else
+        # If SELinux is enforced, the amphora image requires the amphora-selinux policies
+        AMP_element_sequence="$AMP_element_sequence amphora-selinux"
     fi
 fi
 

elements/amphora-selinux/README.rst

@@ -0,0 +1,3 @@
+Element to install the required selinux policies for the amphora.
+
+Note: This element is only valid for rhel/centos 8 or newer.

elements/amphora-selinux/element-deps

@@ -0,0 +1,2 @@
+package-installs
+pkg-map

elements/amphora-selinux/package-installs.json

@@ -0,0 +1,4 @@
+{
+    "openstack-selinux": null,
+    "policycoreutils-python-utils": null
+}

elements/amphora-selinux/pkg-map

@@ -0,0 +1,12 @@
+{
+    "family": {
+      "redhat": {
+        "openstack-selinux": "openstack-selinux",
+        "policycoreutils-python-utils": "policycoreutils-python-utils"
+      }
+    },
+    "default": {
+        "openstack-selinux": "",
+        "policycoreutils-python-utils": ""
+    }
+}

elements/amphora-selinux/post-install.d/50-selinux-policies

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+enable_selinux_bool () {
+    policy=$1
+    if semanage boolean -l | grep $policy; then
+        echo "Enabling $policy SELinux policy"
+        semanage boolean -N -m --on $policy
+    fi
+}
+
+enable_selinux_bool os_haproxy_enable_nsfs
+enable_selinux_bool os_haproxy_ping
+enable_selinux_bool cluster_use_execmem

releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Enable required SELinux booleans for CentOS or RHEL amphora image.