Enable new SELinux boolean for vTPM support

In order to get a working vTPM support in containers, we need to enable a new SELinux boolean provided by openstack-selinux[1]. This patch affects only the deprecated nova-libvirt-container-puppet.yaml template in order to do a clean backport to stable/Wallaby and stable/Victoria. [1] https://github.com/redhat-openstack/openstack-selinux/pull/80 Change-Id: I1d2368135f7b0a83dec2192c242c081e2f5127c1 Closes-Bug: #1902468 Resolves: rhbz#2007314 (cherry picked from commit f664302c3d)
2021-10-11 15:41:35 +02:00 · 2021-10-11 15:41:35 +02:00 · 47e9740676
parent 8a4351664d
commit 47e9740676
1 changed files with 5 additions and 0 deletions
--- a/deployment/nova/nova-libvirt-container-puppet.yaml
+++ b/deployment/nova/nova-libvirt-container-puppet.yaml
@ -903,6 +903,11 @@ outputs:
                dest: /etc/tmpfiles.d/run-libvirt.conf
                content: |
                  d /run/libvirt 0755 root root - -
+            - name: Enable os_enable_vtpm SELinux boolean for vTPM
+              seboolean:
+                name: os_enable_vtpm
+                persistent: true
+                state: true
      metadata_settings:
        list_concat:
          - if: