From 57c7149488f05ce7c896a79dad3aa7dbcf3e61bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 23 Mar 2021 10:39:14 +0100 Subject: [PATCH] Ensure we get the relevant fcontext overrides Until now, running a restorecon could break the SELinux labels. In order to avoid such an issue, we can override the existing rules pushed in /etc/selinux/targeted/contexts/ using fcontext. It makes the change persistent across reboots. Please note the following: - sefcontext triggers a policy reload - fcontext doesn't actually apply the labels - creating the fcontext entry before creating the file allows to get the file created with the right labels directly - we have to ensure SELinux is enabled on the host before actually creating the rules. Change-Id: I6ce262a6e77a4d40b6ff246240d21390289cc54b (cherry picked from commit 608fdfae85be5e1d6d20d49c62583e48ce5a0bc5) --- .../molecule/amqp_connection/molecule.yml | 2 +- .../amqp_default_interval/molecule.yml | 2 +- .../molecule/collectd_connection/molecule.yml | 4 ++-- .../molecule/default/molecule.yml | 2 +- .../molecule/enable_libpodstats/molecule.yml | 2 +- .../molecule/enable_sensubility/molecule.yml | 2 +- .../molecule/enable_sqlalchemy/molecule.yml | 2 +- .../molecule/enable_stf/molecule.yml | 2 +- .../tasks/create_persistent_directories.yml | 16 ++++++++++++++++ .../roles/tripleo_frr/tasks/main.yml | 18 ++++++++++++++++++ .../molecule/custom_config/molecule.yml | 2 +- .../molecule/default/molecule.yml | 2 +- .../molecule/preexisting_config/molecule.yml | 2 +- .../tripleo_multipathd/tasks/configure.yml | 17 +++++++++++++++++ .../tripleo_multipathd/tasks/host_prep.yml | 17 +++++++++++++++++ .../molecule/default/molecule.yml | 1 + .../tripleo_network_config/tasks/main.yml | 19 +++++++++++++++++++ .../molecule/default/molecule.yml | 2 +- .../roles/tripleo_unbound/tasks/main.yml | 18 ++++++++++++++++++ 19 files changed, 119 insertions(+), 13 deletions(-) diff --git a/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_connection/molecule.yml b/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_connection/molecule.yml index 76f4c728e..8b9c96c8d 100644 --- a/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_connection/molecule.yml +++ b/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_connection/molecule.yml @@ -9,7 +9,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/dnf/vars:/etc/dnf/vars diff --git a/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_default_interval/molecule.yml b/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_default_interval/molecule.yml index 76f4c728e..8b9c96c8d 100644 --- a/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_default_interval/molecule.yml +++ b/tripleo_ansible/roles/tripleo_collectd/molecule/amqp_default_interval/molecule.yml @@ -9,7 +9,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/dnf/vars:/etc/dnf/vars diff --git a/tripleo_ansible/roles/tripleo_collectd/molecule/collectd_connection/molecule.yml b/tripleo_ansible/roles/tripleo_collectd/molecule/collectd_connection/molecule.yml index 6583a2355..c9e42288c 100644 --- a/tripleo_ansible/roles/tripleo_collectd/molecule/collectd_connection/molecule.yml +++ b/tripleo_ansible/roles/tripleo_collectd/molecule/collectd_connection/molecule.yml @@ -13,7 +13,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/dnf/vars:/etc/dnf/vars @@ -38,7 +38,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro privileged: true diff --git a/tripleo_ansible/roles/tripleo_collectd/molecule/default/molecule.yml b/tripleo_ansible/roles/tripleo_collectd/molecule/default/molecule.yml index 45b39c2af..dd1aa9d12 100644 --- a/tripleo_ansible/roles/tripleo_collectd/molecule/default/molecule.yml +++ b/tripleo_ansible/roles/tripleo_collectd/molecule/default/molecule.yml @@ -9,7 +9,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg diff --git a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_libpodstats/molecule.yml b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_libpodstats/molecule.yml index 76f4c728e..8b9c96c8d 100644 --- a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_libpodstats/molecule.yml +++ b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_libpodstats/molecule.yml @@ -9,7 +9,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/dnf/vars:/etc/dnf/vars diff --git a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sensubility/molecule.yml b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sensubility/molecule.yml index 76f4c728e..8b9c96c8d 100644 --- a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sensubility/molecule.yml +++ b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sensubility/molecule.yml @@ -9,7 +9,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/dnf/vars:/etc/dnf/vars diff --git a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sqlalchemy/molecule.yml b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sqlalchemy/molecule.yml index 76f4c728e..8b9c96c8d 100644 --- a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sqlalchemy/molecule.yml +++ b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_sqlalchemy/molecule.yml @@ -9,7 +9,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/dnf/vars:/etc/dnf/vars diff --git a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_stf/molecule.yml b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_stf/molecule.yml index 76f4c728e..8b9c96c8d 100644 --- a/tripleo_ansible/roles/tripleo_collectd/molecule/enable_stf/molecule.yml +++ b/tripleo_ansible/roles/tripleo_collectd/molecule/enable_stf/molecule.yml @@ -9,7 +9,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: ../common/Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/dnf/vars:/etc/dnf/vars diff --git a/tripleo_ansible/roles/tripleo_collectd/tasks/create_persistent_directories.yml b/tripleo_ansible/roles/tripleo_collectd/tasks/create_persistent_directories.yml index 108c3f588..eedd91cc0 100644 --- a/tripleo_ansible/roles/tripleo_collectd/tasks/create_persistent_directories.yml +++ b/tripleo_ansible/roles/tripleo_collectd/tasks/create_persistent_directories.yml @@ -14,6 +14,22 @@ # License for the specific language governing permissions and limitations # under the License. +- name: Gather SELinux fact if needed + when: + - ansible_facts.selinux is undefined + setup: + gather_subset: + - "!all" + - "!min" + - "selinux" + +- name: create fcontext entry for collectd data + when: + - ansible_facts.selinux.status == "enabled" + sefcontext: + target: "{{ collectd_conf_output_dir }}(/.*)?" + seytpe: container_file_t + state: present - name: create persistent directories file: diff --git a/tripleo_ansible/roles/tripleo_frr/tasks/main.yml b/tripleo_ansible/roles/tripleo_frr/tasks/main.yml index 1f7b96089..45dc66ff4 100644 --- a/tripleo_ansible/roles/tripleo_frr/tasks/main.yml +++ b/tripleo_ansible/roles/tripleo_frr/tasks/main.yml @@ -14,6 +14,24 @@ # License for the specific language governing permissions and limitations # under the License. +- name: Gather SELinux fact if needed + when: + - ansible_facts.selinux is undefined + setup: + gather_subset: + - "!all" + - "!min" + - "selinux" + +- name: create fcontext entry for frr base directory + when: + - ansible_facts.selinux.status == "enabled" + become: true + community.general.sefcontext: + target: "{{ tripleo_frr_config_basedir }}/etc/frr(/.*)?" + setype: container_file_t + state: present + - name: create directory {{ tripleo_frr_config_basedir }} become: true ansible.builtin.file: diff --git a/tripleo_ansible/roles/tripleo_multipathd/molecule/custom_config/molecule.yml b/tripleo_ansible/roles/tripleo_multipathd/molecule/custom_config/molecule.yml index 1990a67f5..b6bddd0d4 100644 --- a/tripleo_ansible/roles/tripleo_multipathd/molecule/custom_config/molecule.yml +++ b/tripleo_ansible/roles/tripleo_multipathd/molecule/custom_config/molecule.yml @@ -11,7 +11,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg diff --git a/tripleo_ansible/roles/tripleo_multipathd/molecule/default/molecule.yml b/tripleo_ansible/roles/tripleo_multipathd/molecule/default/molecule.yml index 1990a67f5..b6bddd0d4 100644 --- a/tripleo_ansible/roles/tripleo_multipathd/molecule/default/molecule.yml +++ b/tripleo_ansible/roles/tripleo_multipathd/molecule/default/molecule.yml @@ -11,7 +11,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg diff --git a/tripleo_ansible/roles/tripleo_multipathd/molecule/preexisting_config/molecule.yml b/tripleo_ansible/roles/tripleo_multipathd/molecule/preexisting_config/molecule.yml index 1990a67f5..b6bddd0d4 100644 --- a/tripleo_ansible/roles/tripleo_multipathd/molecule/preexisting_config/molecule.yml +++ b/tripleo_ansible/roles/tripleo_multipathd/molecule/preexisting_config/molecule.yml @@ -11,7 +11,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg diff --git a/tripleo_ansible/roles/tripleo_multipathd/tasks/configure.yml b/tripleo_ansible/roles/tripleo_multipathd/tasks/configure.yml index c1b41bf65..08ccdb92a 100644 --- a/tripleo_ansible/roles/tripleo_multipathd/tasks/configure.yml +++ b/tripleo_ansible/roles/tripleo_multipathd/tasks/configure.yml @@ -14,6 +14,23 @@ # License for the specific language governing permissions and limitations # under the License. +- name: Gather SELinux fact if needed + when: + - ansible_facts.selinux is undefined + setup: + gather_subset: + - "!all" + - "!min" + - "selinux" + +- name: Create fcontext entry for multipath locations + when: + - ansible_facts.selinux.status == "enabled" + sefcontext: + target: "/etc/multipath.conf" + setype: container_file_t + state: present + - name: Install custom multipath.conf if one is specified copy: src: "{{ tripleo_multipathd_custom_config_file }}" diff --git a/tripleo_ansible/roles/tripleo_multipathd/tasks/host_prep.yml b/tripleo_ansible/roles/tripleo_multipathd/tasks/host_prep.yml index 696056473..aebabe3b6 100644 --- a/tripleo_ansible/roles/tripleo_multipathd/tasks/host_prep.yml +++ b/tripleo_ansible/roles/tripleo_multipathd/tasks/host_prep.yml @@ -14,6 +14,23 @@ # License for the specific language governing permissions and limitations # under the License. +- name: Gather SELinux fact if needed + when: + - ansible_facts.selinux is undefined + setup: + gather_subset: + - "!all" + - "!min" + - "selinux" + +- name: Create fcontext entry for multipath directory + when: + - ansible_facts.selinux.status == "enabled" + sefcontext: + target: "/etc/multipath(/.*)?" + setype: container_file_t + state: present + - name: Check if multipathd is deployed on the host command: systemctl is-enabled --quiet multipathd failed_when: false diff --git a/tripleo_ansible/roles/tripleo_network_config/molecule/default/molecule.yml b/tripleo_ansible/roles/tripleo_network_config/molecule/default/molecule.yml index 402a92566..a1e450c37 100644 --- a/tripleo_ansible/roles/tripleo_network_config/molecule/default/molecule.yml +++ b/tripleo_ansible/roles/tripleo_network_config/molecule/default/molecule.yml @@ -20,6 +20,7 @@ log: true platforms: - name: instance + pkg_extras: libselinux-python* policycoreutils-python-utils provisioner: inventory: diff --git a/tripleo_ansible/roles/tripleo_network_config/tasks/main.yml b/tripleo_ansible/roles/tripleo_network_config/tasks/main.yml index dade91349..6a32121fe 100644 --- a/tripleo_ansible/roles/tripleo_network_config/tasks/main.yml +++ b/tripleo_ansible/roles/tripleo_network_config/tasks/main.yml @@ -14,6 +14,25 @@ # License for the specific language governing permissions and limitations # under the License. +- name: Gather SELinux fact if needed + when: + - ansible_facts.selinux is undefined + setup: + gather_subset: + - "!all" + - "!min" + - "selinux" + +- name: Create fcontext entry for tripleoconfig + become: true + when: + - ansible_facts.selinux.status == "enabled" + sefcontext: + target: "/var/lib/tripleo-config(/.*)?" + setype: container_file_t + selevel: s0 + state: present + - name: Ensure /var/lib/tripleo-config directory exists become: true file: diff --git a/tripleo_ansible/roles/tripleo_unbound/molecule/default/molecule.yml b/tripleo_ansible/roles/tripleo_unbound/molecule/default/molecule.yml index e65a86ce1..ea2df9d4c 100644 --- a/tripleo_ansible/roles/tripleo_unbound/molecule/default/molecule.yml +++ b/tripleo_ansible/roles/tripleo_unbound/molecule/default/molecule.yml @@ -11,7 +11,7 @@ platforms: registry: url: registry.access.redhat.com dockerfile: Dockerfile - pkg_extras: python*setuptools + pkg_extras: python*setuptools libselinux-python* policycoreutils-python-utils volumes: - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro - /etc/pki/rpm-gpg:/etc/pki/rpm-gpg diff --git a/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml b/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml index 0b806adf7..069aac1ab 100644 --- a/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml +++ b/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml @@ -14,6 +14,24 @@ # License for the specific language governing permissions and limitations # under the License. +- name: Gather SELinux fact if needed + when: + - ansible_facts.selinux is undefined + setup: + gather_subset: + - "!all" + - "!min" + - "selinux" + +- name: create fcontext entry for unbound config content + when: + - ansible_facts.selinux.status == "enabled" + sefcontext: + target: "{{ tripleo_unbound_config_basedir }}(/.*)?" + setype: container_file_t + selevel: s0 + state: present + - name: create directory {{ tripleo_unbound_config_basedir }} become: true ansible.builtin.file: