diff --git a/files/osa-nova.te b/files/osa-nova.te deleted file mode 100644 index 4bd6135a..00000000 --- a/files/osa-nova.te +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module osa-nova 1.0; - -require { - type nova_var_lib_t; - type virtd_t; - type svirt_tcg_t; - type virtlogd_t; - class capability dac_override; - class file { append create getattr open read unlink }; - class dir { add_name remove_name search write }; -} - -# NOTE(mhayden): These policies give non-KVM qemu instances the ability to use -# the execmem() syscall and perform other actions. This affects deployers who -# do not have native KVM capabilities on the hypervisor (such as the -# OpenStack) gate jobs. -#============= svirt_tcg_t ============== -allow svirt_tcg_t virtd_t:dir search; -allow svirt_tcg_t virtd_t:file read; -allow svirt_tcg_t virtd_t:file { getattr open }; - -# NOTE(mhayden): This set of policies allows virtlogd (the daemon that -# handles console logs for KVM instances) to take various actions under -# /var/log/nova. -#============= virtlogd_t ============== -allow virtlogd_t nova_var_lib_t:dir { add_name remove_name search write }; -allow virtlogd_t nova_var_lib_t:file { append create getattr open unlink }; -allow virtlogd_t self:capability dac_override; diff --git a/tasks/nova_post_install.yml b/tasks/nova_post_install.yml index ab52a70c..0f8b1c58 100644 --- a/tasks/nova_post_install.yml +++ b/tasks/nova_post_install.yml @@ -87,7 +87,3 @@ tags: - sudoers - nova-sudoers - -- include_tasks: nova_selinux.yml - when: - - ansible_selinux.status == "enabled" diff --git a/tasks/nova_selinux.yml b/tasks/nova_selinux.yml deleted file mode 100644 index c5991e09..00000000 --- a/tasks/nova_selinux.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -# Copyright 2017, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# TODO(mhayden): Remove this task during the Rocky development cycle. -- name: Check for SELinux equivalence for /var/lib/nova - shell: "semanage fcontext -l /var/lib/nova | grep '^/var/lib/nova = /var/log/libvirt$' || true" - register: fcontext_check - tags: - - skip_ansible_lint - -# NOTE(mhayden): The old equivalence added in Pike is removed here since it -# is superseded by the task right after this one. -# TODO(mhayden): Remove this task during the Rocky development cycle. -- name: Remove SELinux fcontext equivalence for nova instance directory - command: semanage fcontext --delete --equal /var/log/libvirt /var/lib/nova - failed_when: selinux_equivalence.rc not in [0,1] - changed_when: selinux_equivalence.rc == 0 - register: selinux_equivalence - when: - - '"/var/lib/nova" in fcontext_check.stdout' - -- name: Set SELinux file contexts for nova's ssh keys - sefcontext: - target: "/var/lib/nova/\\.ssh(/.*)?" - setype: "ssh_home_t" - state: present - register: selinux_file_context_ssh_keys - -- name: Apply updated SELinux contexts on /var/lib/nova - command: restorecon -R /var/lib/nova - when: - - selinux_equivalence | changed or selinux_file_context_ssh_keys is changed - -- name: Stat nova's log directory - stat: - path: "{{ nova_log_dir }}" - register: nova_log_dir_check - -- name: Set SELinux file contexts for nova's log directory - sefcontext: - target: "{{ (nova_log_dir_check.stat.islnk) | ternary(nova_log_dir_check.stat.lnk_target, nova_log_dir) }}(/.*)?" - setype: nova_log_t - state: present - register: selinux_file_context_log_files - -- name: Apply updated SELinux contexts on nova log directory - command: "restorecon -Rv {{ (nova_log_dir_check.stat.islnk) | ternary(nova_log_dir_check.stat.lnk_target, nova_log_dir) }}" - when: - - selinux_file_context_log_files is changed - -- name: Copy OSA SELinux policy - copy: - src: osa-nova.te - dest: /tmp/osa-nova.te - -# NOTE(mhayden): Linting checks are skipped here because there isn't a -# reliable way to determine if this SELinux module is newer than the one that -# is currently in use on the system. The linter expects there to be a -# "creates" argument below. -- name: Compile new SELinux policy - command: "{{ item }}" - args: - chdir: "/tmp/" - with_items: - - checkmodule -M -m -o osa-nova.mod osa-nova.te - - semodule_package -o osa-nova.pp -m osa-nova.mod - - semodule -i osa-nova.pp - tags: - - skip_ansible_lint