From 2d7331dd2258a32f1d3fb3cee930c71193551089 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 14 Feb 2018 11:39:54 -0600 Subject: [PATCH] Add SELinux contexts for nova log directory The log directory for nova has the default_t SELinux context and this prevents rsyslog from accessing nova's logs. This patch ensures that the file contexts are set properly for nova's logs. This change also makes nova's log directory configurable using the `nova_log_dir` variable. Closes-Bug: 1748911 Change-Id: Iaac69c5807715f50386624602375c89adeeb48a1 (cherry picked from commit 10fc6d9035baf9db11f1b13983dd8df6e0996e4b) --- defaults/main.yml | 1 + tasks/nova_pre_install.yml | 8 ++++---- tasks/nova_selinux.yml | 17 +++++++++++++++++ templates/nova.conf.j2 | 2 +- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5f39a343..ba23979d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -60,6 +60,7 @@ nova_system_shell: /bin/bash nova_system_comment: nova system user nova_system_home_folder: "/var/lib/{{ nova_system_user_name }}" nova_libvirt_save_path: "{{ nova_system_home_folder }}/save" +nova_log_dir: "/var/log/nova" nova_lock_path: "/var/lock/nova" diff --git a/tasks/nova_pre_install.yml b/tasks/nova_pre_install.yml index 7ef3dbf4..f33967e4 100644 --- a/tasks/nova_pre_install.yml +++ b/tasks/nova_pre_install.yml @@ -77,9 +77,9 @@ - name: Test for log directory or link shell: | - if [ -h "/var/log/nova" ]; then - chown -h {{ nova_system_user_name }}:{{ nova_system_group_name }} "/var/log/nova" - chown -R {{ nova_system_user_name }}:{{ nova_system_group_name }} "$(readlink /var/log/nova)" + if [ -h "{{ nova_log_dir }}" ]; then + chown -h {{ nova_system_user_name }}:{{ nova_system_group_name }} "{{ nova_log_dir }}" + chown -R {{ nova_system_user_name }}:{{ nova_system_group_name }} "$(readlink {{ nova_log_dir }})" else exit 1 fi @@ -92,7 +92,7 @@ - name: Create nova log dir file: - path: "/var/log/nova" + path: "{{ nova_log_dir }}" state: directory owner: "{{ nova_system_user_name }}" group: "{{ nova_system_group_name }}" diff --git a/tasks/nova_selinux.yml b/tasks/nova_selinux.yml index 57e39b6b..fd297fa2 100644 --- a/tasks/nova_selinux.yml +++ b/tasks/nova_selinux.yml @@ -43,6 +43,23 @@ when: - selinux_equivalence | changed or selinux_file_context_ssh_keys | changed +- name: Stat nova's log directory + stat: + path: "{{ nova_log_dir }}" + register: nova_log_dir_check + +- name: Set SELinux file contexts for nova's log directory + sefcontext: + target: "{{ (nova_log_dir_check.stat.islnk) | ternary(nova_log_dir_check.stat.lnk_target, nova_log_dir) }}(/.*)?" + setype: nova_log_t + state: present + register: selinux_file_context_log_files + +- name: Apply updated SELinux contexts on nova log directory + command: "restorecon -Rv {{ (nova_log_dir_check.stat.islnk) | ternary(nova_log_dir_check.stat.lnk_target, nova_log_dir) }}" + when: + - selinux_file_context_log_files | changed + - name: Copy OSA SELinux policy copy: src: osa-nova.te diff --git a/templates/nova.conf.j2 b/templates/nova.conf.j2 index ba77e428..209158d9 100644 --- a/templates/nova.conf.j2 +++ b/templates/nova.conf.j2 @@ -6,7 +6,7 @@ use_stderr = False # Logs / State debug = {{ debug }} fatal_deprecations = {{ nova_fatal_deprecations }} -log_dir = /var/log/nova +log_dir = {{ nova_log_dir }} state_path = {{ nova_system_home_folder }} rootwrap_config = /etc/nova/rootwrap.conf service_down_time = 120