Merge "Add selinux rules to allow lxc-attach after reboot"

files/lxc-attach.te

@@ -0,0 +1,11 @@
+module lxc-attach 1.0;
+
+require {
+    type unconfined_service_t;
+    type var_lib_t;
+    class file entrypoint;
+}
+
+#============= unconfined_service_t ==============
+allow unconfined_service_t var_lib_t:file entrypoint;
+

tasks/lxc_install_yum.yml

@@ -218,3 +218,29 @@
   service:
     name: lxc
     enabled: "yes"
+
+- name: Create directory for compiling SELinux rule
+  file:
+    path: "/tmp/lxc-attach-selinux/"
+    state: 'directory'
+    mode: '0755'
+
+- name: Drop SELinux config
+  copy:
+    src: "lxc-attach.te"
+    dest: "/tmp/lxc-attach-selinux/lxc-attach.te"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+
+- name: Compile and load SELinux module
+  command: '{{ item }}'
+  args:
+    creates: '/etc/selinux/targeted/modules/active/modules/lxc-attach.pp'
+    chdir: "/tmp/lxc-attach-selinux/"
+  with_items:
+   - make -f /usr/share/selinux/devel/Makefile
+   - semodule -i /tmp/lxc-attach-selinux/lxc-attach.pp
+  when:
+    - ansible_selinux.status == "enabled"
+

vars/redhat-7.yml

@@ -37,6 +37,7 @@ lxc_hosts_distro_packages:
   - python34-devel
   - pkgconfig
   - redhat-lsb
+  - selinux-policy-devel
   - xz
 
 lxc_xz_bin: xz