Add SELinux contexts for nova log directory

The log directory for nova has the default_t SELinux context and this prevents rsyslog from accessing nova's logs. This patch ensures that the file contexts are set properly for nova's logs. This change also makes nova's log directory configurable using the `nova_log_dir` variable. Closes-Bug: 1748911 Change-Id: Iaac69c5807715f50386624602375c89adeeb48a1 (cherry picked from commit 10fc6d9035)
2018-02-14 11:39:54 -06:00
parent 13bbca5c23
commit 2d7331dd22
4 changed files with 23 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -60,6 +60,7 @@ nova_system_shell: /bin/bash
 nova_system_comment: nova system user
 nova_system_home_folder: "/var/lib/{{ nova_system_user_name }}"
 nova_libvirt_save_path: "{{ nova_system_home_folder }}/save"
+nova_log_dir: "/var/log/nova"

 nova_lock_path: "/var/lock/nova"

--- a/tasks/nova_pre_install.yml
+++ b/tasks/nova_pre_install.yml
@@ -77,9 +77,9 @@

 - name: Test for log directory or link
  shell: |
-    if [ -h "/var/log/nova"  ]; then
-      chown -h {{ nova_system_user_name }}:{{ nova_system_group_name }} "/var/log/nova"
-      chown -R {{ nova_system_user_name }}:{{ nova_system_group_name }} "$(readlink /var/log/nova)"
+    if [ -h "{{ nova_log_dir }}"  ]; then
+      chown -h {{ nova_system_user_name }}:{{ nova_system_group_name }} "{{ nova_log_dir }}"
+      chown -R {{ nova_system_user_name }}:{{ nova_system_group_name }} "$(readlink {{ nova_log_dir }})"
    else
      exit 1
    fi
@@ -92,7 +92,7 @@

 - name: Create nova log dir
  file:
-    path: "/var/log/nova"
+    path: "{{ nova_log_dir }}"
    state: directory
    owner: "{{ nova_system_user_name }}"
    group: "{{ nova_system_group_name }}"
--- a/tasks/nova_selinux.yml
+++ b/tasks/nova_selinux.yml
@@ -43,6 +43,23 @@
  when:
    - selinux_equivalence | changed or selinux_file_context_ssh_keys | changed

+- name: Stat nova's log directory
+  stat:
+    path: "{{ nova_log_dir }}"
+  register: nova_log_dir_check
+
+- name: Set SELinux file contexts for nova's log directory
+  sefcontext:
+    target: "{{ (nova_log_dir_check.stat.islnk) | ternary(nova_log_dir_check.stat.lnk_target, nova_log_dir) }}(/.*)?"
+    setype: nova_log_t
+    state: present
+  register: selinux_file_context_log_files
+
+- name: Apply updated SELinux contexts on nova log directory
+  command: "restorecon -Rv {{ (nova_log_dir_check.stat.islnk) | ternary(nova_log_dir_check.stat.lnk_target, nova_log_dir) }}"
+  when:
+    - selinux_file_context_log_files | changed
+
 - name: Copy OSA SELinux policy
  copy:
    src: osa-nova.te
--- a/templates/nova.conf.j2
+++ b/templates/nova.conf.j2
@@ -6,7 +6,7 @@ use_stderr = False
 # Logs / State
 debug = {{ debug }}
 fatal_deprecations = {{ nova_fatal_deprecations }}
-log_dir = /var/log/nova
+log_dir = {{ nova_log_dir }}
 state_path = {{ nova_system_home_folder }}
 rootwrap_config = /etc/nova/rootwrap.conf
 service_down_time = 120