Merge "Apply openstack-selinux policies in Centos amphorae"

2022-08-18 17:31:57 +00:00 · 2022-08-18 17:31:57 +00:00 · b1d83eedcf
parent 715067e4c9 3115589f21
commit b1d83eedcf
7 changed files with 50 additions and 3 deletions
--- a/diskimage-create/diskimage-create.sh
+++ b/diskimage-create/diskimage-create.sh
@ -447,10 +447,13 @@ AMP_element_sequence="$AMP_element_sequence sos"
 AMP_element_sequence="$AMP_element_sequence cloud-init-datasources"
 AMP_element_sequence="$AMP_element_sequence remove-default-ints"

-if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then
-    # SELinux systems
-    if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then
+# SELinux systems
+if [ "${AMP_BASEOS}" = "centos-minimal" ] || [ "${AMP_BASEOS}" = "fedora" ] || [ "${AMP_BASEOS}" = "rhel" ]; then
+    if [ "$AMP_ENABLE_FULL_MAC_SECURITY" -ne 1 ]; then
        AMP_element_sequence="$AMP_element_sequence selinux-permissive"
+    else
+        # If SELinux is enforced, the amphora image requires the amphora-selinux policies
+        AMP_element_sequence="$AMP_element_sequence amphora-selinux"
    fi
 fi

--- a/elements/amphora-selinux/README.rst
+++ b/elements/amphora-selinux/README.rst
@ -0,0 +1,3 @@
+Element to install the required selinux policies for the amphora.
+
+Note: This element is only valid for rhel/centos 8 or newer.
--- a/elements/amphora-selinux/element-deps
+++ b/elements/amphora-selinux/element-deps
@ -0,0 +1,2 @@
+package-installs
+pkg-map
--- a/elements/amphora-selinux/package-installs.json
+++ b/elements/amphora-selinux/package-installs.json
@ -0,0 +1,4 @@
+{
+    "openstack-selinux": null,
+    "policycoreutils-python-utils": null
+}
--- a/elements/amphora-selinux/pkg-map
+++ b/elements/amphora-selinux/pkg-map
@ -0,0 +1,12 @@
+{
+    "family": {
+      "redhat": {
+        "openstack-selinux": "openstack-selinux",
+        "policycoreutils-python-utils": "policycoreutils-python-utils"
+      }
+    },
+    "default": {
+        "openstack-selinux": "",
+        "policycoreutils-python-utils": ""
+    }
+}
--- a/elements/amphora-selinux/post-install.d/50-selinux-policies
+++ b/elements/amphora-selinux/post-install.d/50-selinux-policies
@ -0,0 +1,19 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+enable_selinux_bool () {
+    policy=$1
+    if semanage boolean -l | grep $policy; then
+        echo "Enabling $policy SELinux policy"
+        semanage boolean -N -m --on $policy
+    fi
+}
+
+enable_selinux_bool os_haproxy_enable_nsfs
+enable_selinux_bool os_haproxy_ping
+enable_selinux_bool cluster_use_execmem
--- a/releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml
+++ b/releasenotes/notes/fix-enforced-selinux-on-centos-27842ca6afbb500c.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Enable required SELinux booleans for CentOS or RHEL amphora image.