Ensure we get the relevant fcontext overrides

Until now, running a restorecon could break the SELinux labels. In order to avoid such an issue, we can override the existing rules pushed in /etc/selinux/targeted/contexts/ using fcontext. It makes the change persistent across reboots. Please note the following: - sefcontext triggers a policy reload - fcontext doesn't actually apply the labels - creating the fcontext entry before creating the file allows to get the file created with the right labels directly - we have to ensure SELinux is enabled on the host before actually creating the rules. Change-Id: I6ce262a6e77a4d40b6ff246240d21390289cc54b (cherry picked from commit 608fdfae85)
2021-03-23 10:39:14 +01:00 · 2021-03-23 10:39:14 +01:00 · 57c7149488
commit 57c7149488
parent 962b48827f
19 changed files with 119 additions and 13 deletions
--- a/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_connection/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_connection/molecule.yml
@ -9,7 +9,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/dnf/vars:/etc/dnf/vars
--- a/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_default_interval/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_default_interval/molecule.yml
@ -9,7 +9,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/dnf/vars:/etc/dnf/vars
--- a/tripleo_ansible/roles/tripleo_collectd/molecule/collectd_connection/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/molecule/collectd_connection/molecule.yml
@ -13,7 +13,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/dnf/vars:/etc/dnf/vars
@ -38,7 +38,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
    privileged: true
--- a/tripleo_ansible/roles/tripleo_collectd/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/molecule/default/molecule.yml
@ -9,7 +9,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_libpodstats/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_libpodstats/molecule.yml
@ -9,7 +9,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/dnf/vars:/etc/dnf/vars
--- a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sensubility/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sensubility/molecule.yml
@ -9,7 +9,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/dnf/vars:/etc/dnf/vars
--- a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sqlalchemy/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sqlalchemy/molecule.yml
@ -9,7 +9,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/dnf/vars:/etc/dnf/vars
--- a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_stf/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_stf/molecule.yml
@ -9,7 +9,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: ../common/Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/dnf/vars:/etc/dnf/vars
--- a/tripleo_ansible/roles/tripleo_collectd/tasks/create_persistent_directories.yml
+++ b/tripleo_ansible/roles/tripleo_collectd/tasks/create_persistent_directories.yml
@ -14,6 +14,22 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+- name: Gather SELinux fact if needed
+  when:
+    - ansible_facts.selinux is undefined
+  setup:
+    gather_subset:
+      - "!all"
+      - "!min"
+      - "selinux"
+
+- name: create fcontext entry for collectd data
+  when:
+    - ansible_facts.selinux.status == "enabled"
+  sefcontext:
+    target: "{{ collectd_conf_output_dir }}(/.*)?"
+    seytpe: container_file_t
+    state: present

 - name: create persistent directories
  file:
--- a/tripleo_ansible/roles/tripleo_frr/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_frr/tasks/main.yml
@ -14,6 +14,24 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+- name: Gather SELinux fact if needed
+  when:
+    - ansible_facts.selinux is undefined
+  setup:
+    gather_subset:
+      - "!all"
+      - "!min"
+      - "selinux"
+
+- name: create fcontext entry for frr base directory
+  when:
+    - ansible_facts.selinux.status == "enabled"
+  become: true
+  community.general.sefcontext:
+    target: "{{ tripleo_frr_config_basedir }}/etc/frr(/.*)?"
+    setype: container_file_t
+    state: present
+
 - name: create directory {{ tripleo_frr_config_basedir }}
  become: true
  ansible.builtin.file:
--- a/tripleo_ansible/roles/tripleo_multipathd/molecule/custom_config/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_multipathd/molecule/custom_config/molecule.yml
@ -11,7 +11,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_multipathd/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_multipathd/molecule/default/molecule.yml
@ -11,7 +11,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_multipathd/molecule/preexisting_config/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_multipathd/molecule/preexisting_config/molecule.yml
@ -11,7 +11,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_multipathd/tasks/configure.yml
+++ b/tripleo_ansible/roles/tripleo_multipathd/tasks/configure.yml
@ -14,6 +14,23 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+- name: Gather SELinux fact if needed
+  when:
+    - ansible_facts.selinux is undefined
+  setup:
+    gather_subset:
+      - "!all"
+      - "!min"
+      - "selinux"
+
+- name: Create fcontext entry for multipath locations
+  when:
+    - ansible_facts.selinux.status == "enabled"
+  sefcontext:
+    target: "/etc/multipath.conf"
+    setype: container_file_t
+    state: present
+
 - name: Install custom multipath.conf if one is specified
  copy:
    src: "{{ tripleo_multipathd_custom_config_file }}"
--- a/tripleo_ansible/roles/tripleo_multipathd/tasks/host_prep.yml
+++ b/tripleo_ansible/roles/tripleo_multipathd/tasks/host_prep.yml
@ -14,6 +14,23 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+- name: Gather SELinux fact if needed
+  when:
+    - ansible_facts.selinux is undefined
+  setup:
+    gather_subset:
+      - "!all"
+      - "!min"
+      - "selinux"
+
+- name: Create fcontext entry for multipath directory
+  when:
+    - ansible_facts.selinux.status == "enabled"
+  sefcontext:
+    target: "/etc/multipath(/.*)?"
+    setype: container_file_t
+    state: present
+
 - name: Check if multipathd is deployed on the host
  command: systemctl is-enabled --quiet multipathd
  failed_when: false
--- a/tripleo_ansible/roles/tripleo_network_config/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_network_config/molecule/default/molecule.yml
@ -20,6 +20,7 @@ log: true

 platforms:
  - name: instance
+    pkg_extras: libselinux-python* policycoreutils-python-utils

 provisioner:
  inventory:
--- a/tripleo_ansible/roles/tripleo_network_config/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_network_config/tasks/main.yml
@ -14,6 +14,25 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+- name: Gather SELinux fact if needed
+  when:
+    - ansible_facts.selinux is undefined
+  setup:
+    gather_subset:
+      - "!all"
+      - "!min"
+      - "selinux"
+
+- name: Create fcontext entry for tripleoconfig
+  become: true
+  when:
+    - ansible_facts.selinux.status == "enabled"
+  sefcontext:
+    target: "/var/lib/tripleo-config(/.*)?"
+    setype: container_file_t
+    selevel: s0
+    state: present
+
 - name: Ensure /var/lib/tripleo-config directory exists
  become: true
  file:
--- a/tripleo_ansible/roles/tripleo_unbound/molecule/default/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_unbound/molecule/default/molecule.yml
@ -11,7 +11,7 @@ platforms:
    registry:
      url: registry.access.redhat.com
    dockerfile: Dockerfile
-    pkg_extras: python*setuptools
+    pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils
    volumes:
      - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
      - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg
--- a/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml
@ -14,6 +14,24 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+- name: Gather SELinux fact if needed
+  when:
+    - ansible_facts.selinux is undefined
+  setup:
+    gather_subset:
+      - "!all"
+      - "!min"
+      - "selinux"
+
+- name: create fcontext entry for unbound config content
+  when:
+    - ansible_facts.selinux.status == "enabled"
+  sefcontext:
+    target: "{{ tripleo_unbound_config_basedir }}(/.*)?"
+    setype: container_file_t
+    selevel: s0
+    state: present
+
 - name: create directory {{ tripleo_unbound_config_basedir }}
  become: true
  ansible.builtin.file: