Drop SELinux support for CentOS 7

We do not have a maintainer at the moment for SELinux and hopefully we will adopt the upstream openstack-selinux package, but for now in order to let deploys in environments where SELinux is set to permissive work, we'll have to remove these bits. This change can be reverted whenever we have a maintainer that's available to do the work required. Change-Id: I61141da3a391a99cb111733eae22cc7c54ce48c6
2018-09-20 18:52:41 +00:00 · 2018-09-20 18:52:41 +00:00 · a6dba10bb1
commit a6dba10bb1
parent 95f6853f76
5 changed files with 0 additions and 105 deletions
--- a/files/lxc-attach.te
+++ b/files/lxc-attach.te
@ -1,24 +0,0 @@
-# Copyright 2017, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-module lxc-attach 1.0;
-
-require {
-    type unconfined_service_t;
-    type var_lib_t;
-    class file entrypoint;
-}
-
-#============= unconfined_service_t ==============
-allow unconfined_service_t var_lib_t:file entrypoint;
-
--- a/tasks/lxc_post_install.yml
+++ b/tasks/lxc_post_install.yml
@ -125,7 +125,3 @@

 # Ensure apparmor reindex runs before other things that may fail
 - meta: flush_handlers
-
- include_tasks: lxc_selinux.yml
-  when:
-    - ansible_selinux.status == "enabled"
--- a/tasks/lxc_selinux.yml
+++ b/tasks/lxc_selinux.yml
@ -1,64 +0,0 @@
---
-# Copyright 2017, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Create directory for compiling SELinux policy
-  file:
-    path: "/tmp/lxc-attach-selinux/"
-    state: 'directory'
-    mode: '0755'
-
- name: Deploy SELinux type enforcement file
-  copy:
-    src: "lxc-attach.te"
-    dest: "/tmp/lxc-attach-selinux/lxc-attach.te"
-    owner: "root"
-    group: "root"
-    mode: "0755"
-
- name: Compile and load SELinux module
-  shell: 'make -f /usr/share/selinux/devel/Makefile && semodule -i /tmp/lxc-attach-selinux/lxc-attach.pp'
-  args:
-    creates: '/etc/selinux/targeted/active/modules/400/lxc-attach/cil'
-    chdir: "/tmp/lxc-attach-selinux/"
-  register: compile_selinux_async
-  async: 90
-  poll: 0
-
- name: Check if /openstack/log exists
-  stat:
-    path: /openstack/log
-  register: openstack_log_dir
-
- name: Check for SELinux equivalence for /openstack/log
-  shell: "semanage fcontext -l /openstack/log | grep ^/openstack/log || true"
-  register: fcontext_check
-  tags:
-    - skip_ansible_lint
-
- name: Create SELinux fcontext equivalence for OpenStack container logs
-  command: semanage fcontext --add --equal /var/log /openstack/log
-  failed_when: selinux_equivalence.rc not in [0,1]
-  changed_when: selinux_equivalence.rc == 0
-  register: selinux_equivalence
-  when:
-    - openstack_log_dir.stat.exists
-    - '"/openstack/log" not in fcontext_check.stdout'
-
- name: Apply updated SELinux contexts on /openstack/log
-  command: restorecon -R /openstack/log
-  when:
-    - openstack_log_dir.stat.exists
-    - '"/openstack/log" not in fcontext_check.stdout'
-    - selinux_equivalence  is changed
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -87,16 +87,6 @@
 - name: Flush handlers
  meta: flush_handlers

- name: Ensure SELinux module compile has finished
-  async_status:
-    jid: "{{ compile_selinux_async.ansible_job_id }}"
-  register: _compile_selinux_async
-  until: _compile_selinux_async.finished
-  retries: 30
-  when:
-    - compile_selinux_async is defined
-    - not compile_selinux_async | skipped
-
 - name: (RE)Gather facts post setup
  setup:
    gather_subset: "network,hardware,virtual"
--- a/vars/redhat-7-host.yml
+++ b/vars/redhat-7-host.yml
@ -25,15 +25,12 @@ _lxc_hosts_distro_packages:
  - dnsmasq
  - git
  - libseccomp
-  - libselinux
-  - libselinux-devel
  - lxc
  - lxc-devel
  - lxc-libs
  - lxc-templates
  - policycoreutils-python
  - python2-lxc
-  - selinux-policy-devel
  - unzip
  - xz