From 0875895553041ae6286b4cf6d3806aa050c0d588 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Fri, 7 Feb 2020 13:33:20 +0100 Subject: [PATCH] Replace svirt_sandbox_file_t by container_file_t While they are, at SELinux level, exactly the same (one is an alias to the other), the "container_file_t" name is easier to understand (and shorter to write). A second pass in a couple of days or weeks will be needed in order to change files that were merged after this first pass. Change-Id: Ib4b3e65dbaeb5894403301251866b9817240a9d5 --- common/container_startup_configs_tasks.yaml | 4 ++-- common/deploy-steps-tasks-step-1.yaml | 20 +++++++++---------- common/deploy-steps.j2 | 6 +++--- .../aodh/aodh-api-container-puppet.yaml | 4 ++-- .../aodh/aodh-evaluator-container-puppet.yaml | 2 +- .../aodh/aodh-listener-container-puppet.yaml | 2 +- .../aodh/aodh-notifier-container-puppet.yaml | 4 ++-- ...ometer-agent-central-container-puppet.yaml | 2 +- ...ometer-agent-compute-container-puppet.yaml | 2 +- ...eilometer-agent-ipmi-container-puppet.yaml | 2 +- ...r-agent-notification-container-puppet.yaml | 2 +- .../cinder/cinder-api-container-puppet.yaml | 4 ++-- .../cinder-common-container-puppet.yaml | 4 ++-- .../cinder-scheduler-container-puppet.yaml | 2 +- .../database/mysql-container-puppet.yaml | 4 ++-- .../database/mysql-pacemaker-puppet.yaml | 6 +++--- .../database/redis-container-puppet.yaml | 6 +++--- .../database/redis-pacemaker-puppet.yaml | 6 +++--- deployment/etcd/etcd-container-puppet.yaml | 2 +- .../designate-api-container-puppet.yaml | 2 +- .../designate-central-container-puppet.yaml | 2 +- .../designate-mdns-container-puppet.yaml | 4 ++-- .../designate-producer-container-puppet.yaml | 2 +- .../designate-sink-container-puppet.yaml | 2 +- .../designate-worker-container-puppet.yaml | 4 ++-- .../glance/glance-api-container-puppet.yaml | 6 +++--- .../glance-api-logging-file-container.yaml | 4 ++-- .../gnocchi/gnocchi-api-container-puppet.yaml | 6 +++--- .../gnocchi-metricd-container-puppet.yaml | 4 ++-- .../gnocchi-statsd-container-puppet.yaml | 4 ++-- .../haproxy/haproxy-container-puppet.yaml | 2 +- .../haproxy/haproxy-pacemaker-puppet.yaml | 4 ++-- .../horizon/horizon-container-puppet.yaml | 6 +++--- .../ironic/ironic-api-container-puppet.yaml | 4 ++-- .../ironic-conductor-container-puppet.yaml | 4 ++-- .../ironic-inspector-container-puppet.yaml | 4 ++-- .../ironic/ironic-pxe-container-puppet.yaml | 6 +++--- .../iscsid/iscsid-container-puppet.yaml | 4 ++-- .../keepalived-container-puppet.yaml | 2 +- deployment/logging/files/barbican-api.yaml | 4 ++-- deployment/logging/files/heat-api-cfn.yaml | 4 ++-- deployment/logging/files/heat-api.yaml | 4 ++-- deployment/logging/files/heat-engine.yaml | 2 +- deployment/logging/files/keystone.yaml | 4 ++-- deployment/logging/files/neutron-api.yaml | 4 ++-- deployment/logging/files/neutron-common.yaml | 2 +- deployment/logging/files/nova-api.yaml | 4 ++-- deployment/logging/files/nova-common.yaml | 2 +- deployment/logging/files/nova-libvirt.yaml | 2 +- deployment/logging/files/nova-metadata.yaml | 4 ++-- deployment/logging/files/placement-api.yaml | 4 ++-- .../logging/rsyslog-container-puppet.yaml | 4 ++-- .../manila/manila-api-container-puppet.yaml | 4 ++-- .../manila-scheduler-container-puppet.yaml | 2 +- .../manila/manila-share-container-puppet.yaml | 4 ++-- .../manila/manila-share-pacemaker-puppet.yaml | 4 ++-- .../rpc-qdrouterd-container-puppet.yaml | 4 ++-- .../metrics/collectd-container-puppet.yaml | 2 +- deployment/metrics/qdr-container-puppet.yaml | 4 ++-- .../mistral/mistral-api-container-puppet.yaml | 2 +- .../mistral-engine-container-puppet.yaml | 2 +- ...mistral-event-engine-container-puppet.yaml | 2 +- .../mistral-executor-container-puppet.yaml | 10 +++++----- .../multipathd/multipathd-container.yaml | 4 ++-- .../neutron-dhcp-container-puppet.yaml | 2 +- .../neutron/neutron-l3-container-puppet.yaml | 2 +- .../neutron-metadata-container-puppet.yaml | 2 +- .../nova/nova-compute-container-puppet.yaml | 6 +++--- .../nova/nova-ironic-container-puppet.yaml | 4 ++-- .../nova/nova-libvirt-container-puppet.yaml | 14 ++++++------- .../nova/novajoin-container-puppet.yaml | 2 +- .../octavia/octavia-api-container-puppet.yaml | 6 +++--- ...tavia-health-manager-container-puppet.yaml | 2 +- ...octavia-housekeeping-container-puppet.yaml | 2 +- .../octavia-worker-container-puppet.yaml | 2 +- ...ch-dpdk-netcontrold-container-ansible.yaml | 2 +- .../ovn/ovn-controller-container-puppet.yaml | 4 ++-- deployment/ovn/ovn-dbs-container-puppet.yaml | 4 ++-- deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 4 ++-- .../ovn/ovn-metadata-container-puppet.yaml | 2 +- .../qdr/qdrouterd-container-puppet.yaml | 4 ++-- .../rabbitmq/rabbitmq-container-puppet.yaml | 4 ++-- ...tmq-messaging-notify-container-puppet.yaml | 4 ++-- ...tmq-messaging-notify-pacemaker-puppet.yaml | 4 ++-- .../rabbitmq-messaging-pacemaker-puppet.yaml | 4 ++-- ...bbitmq-messaging-rpc-container-puppet.yaml | 4 ++-- ...bbitmq-messaging-rpc-pacemaker-puppet.yaml | 4 ++-- .../sahara/sahara-api-container-puppet.yaml | 4 ++-- .../sahara-engine-container-puppet.yaml | 4 ++-- .../swift/swift-proxy-container-puppet.yaml | 6 +++--- .../swift/swift-storage-container-puppet.yaml | 6 +++--- .../undercloud/tempest-container-puppet.yaml | 6 +++--- deployment/zaqar/zaqar-container-puppet.yaml | 4 ++-- environments/storage-environment.yaml | 2 +- environments/storage/glance-nfs.yaml | 4 ++-- ...-to-container_file_t-f4914561f6e9e4c7.yaml | 5 +++++ 96 files changed, 191 insertions(+), 186 deletions(-) create mode 100644 releasenotes/notes/svirt_sandbox_file_t-to-container_file_t-f4914561f6e9e4c7.yaml diff --git a/common/container_startup_configs_tasks.yaml b/common/container_startup_configs_tasks.yaml index 8e05d97a69..0dac8a0110 100644 --- a/common/container_startup_configs_tasks.yaml +++ b/common/container_startup_configs_tasks.yaml @@ -7,13 +7,13 @@ path: "/var/lib/tripleo-config/container-startup-config/{{ step_path }}/" mode: 0600 recurse: yes - setype: svirt_sandbox_file_t + setype: container_file_t - name: "Creating container startup configs for {{ step_path }}" copy: content: "{{ item.value | to_nice_json }}" dest: "/var/lib/tripleo-config/container-startup-config/{{ step_path }}/{{ item.key }}.json" - setype: svirt_sandbox_file_t + setype: container_file_t mode: 0600 no_log: true loop: "{{ item.1 | dict2items }}" diff --git a/common/deploy-steps-tasks-step-1.yaml b/common/deploy-steps-tasks-step-1.yaml index 9835557009..29e71aa3df 100644 --- a/common/deploy-steps-tasks-step-1.yaml +++ b/common/deploy-steps-tasks-step-1.yaml @@ -20,7 +20,7 @@ file: path: /var/lib/tripleo-config state: directory - setype: svirt_sandbox_file_t + setype: container_file_t selevel: s0 recurse: true tags: @@ -49,7 +49,7 @@ file: path: /var/lib/tripleo-config/check-mode state: directory - setype: svirt_sandbox_file_t + setype: container_file_t selevel: s0 recurse: true tags: @@ -103,7 +103,7 @@ file: path: /var/lib/container-puppet state: directory - setype: svirt_sandbox_file_t + setype: container_file_t selevel: s0 tags: - container_config @@ -124,7 +124,7 @@ file: path: /var/lib/container-puppet/check-mode state: directory - setype: svirt_sandbox_file_t + setype: container_file_t selevel: s0 tags: - container_config @@ -171,7 +171,7 @@ file: path: /var/lib/container-config-scripts state: directory - setype: svirt_sandbox_file_t + setype: container_file_t tags: - container_config_scripts @@ -201,7 +201,7 @@ dest: "/var/lib/container-config-scripts/{{ item[0] }}" force: yes mode: "{{ item[1].mode | default('0600', true) }}" - setype: svirt_sandbox_file_t + setype: container_file_t loop: "{{ role_data_container_config_scripts | dictsort }}" loop_control: label: "{{ item[0] }}" @@ -254,7 +254,7 @@ file: path: /var/lib/kolla/config_files state: directory - setype: svirt_sandbox_file_t + setype: container_file_t selevel: s0 recurse: true tags: @@ -264,7 +264,7 @@ file: path: /var/lib/config-data state: directory - setype: svirt_sandbox_file_t + setype: container_file_t selevel: s0 - name: Write kolla config json files @@ -274,7 +274,7 @@ dest: "{{ item[0] }}" force: yes mode: '0600' - setype: svirt_sandbox_file_t + setype: container_file_t loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}" loop_control: label: "{{ item[0] }}" @@ -318,7 +318,7 @@ file: path: /etc/puppet/check-mode/hieradata state: directory - setype: svirt_sandbox_file_t + setype: container_file_t selevel: s0 recurse: true check_mode: no diff --git a/common/deploy-steps.j2 b/common/deploy-steps.j2 index 0c87d71185..5390a93504 100644 --- a/common/deploy-steps.j2 +++ b/common/deploy-steps.j2 @@ -615,7 +615,7 @@ outputs: file: path: /var/lib/tripleo-config/scripts state: directory - setype: svirt_sandbox_file_t + setype: container_file_t selevel: s0 recurse: true @@ -1235,7 +1235,7 @@ outputs: - include_vars: global_vars.yaml no_log: true - name: ensure we get the right selinux context - command: chcon -R -t svirt_sandbox_file_t /var/lib/config-data + command: chcon -R -t container_file_t /var/lib/config-data args: warn: no tags: @@ -1623,7 +1623,7 @@ outputs: name: Run Fast Forward Upgrade Prep Workarounds for {{role.name}} {%- endfor %} - name: Create /var/lib/container-puppet - file: path=/var/lib/container-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true + file: path=/var/lib/container-puppet state=directory setype=container_file_t selevel=s0 recurse=true - name: Write container-puppet.py no_log: True copy: src=docker_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.py force=yes mode=0600 diff --git a/deployment/aodh/aodh-api-container-puppet.yaml b/deployment/aodh/aodh-api-container-puppet.yaml index e8303a516c..0c5ea290ff 100644 --- a/deployment/aodh/aodh-api-container-puppet.yaml +++ b/deployment/aodh/aodh-api-container-puppet.yaml @@ -248,8 +248,8 @@ outputs: setype: "{{ item.setype }}" state: directory with_items: - - { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/aodh-api, setype: svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/aodh, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/aodh-api, setype: container_file_t, 'mode': '0750' } metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] external_upgrade_tasks: diff --git a/deployment/aodh/aodh-evaluator-container-puppet.yaml b/deployment/aodh/aodh-evaluator-container-puppet.yaml index d9c039a07c..eadafab8ee 100644 --- a/deployment/aodh/aodh-evaluator-container-puppet.yaml +++ b/deployment/aodh/aodh-evaluator-container-puppet.yaml @@ -114,7 +114,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/aodh, 'setype': container_file_t, 'mode': '0750' } external_upgrade_tasks: - when: - step|int == 1 diff --git a/deployment/aodh/aodh-listener-container-puppet.yaml b/deployment/aodh/aodh-listener-container-puppet.yaml index 57891d89f7..013c7d4da1 100644 --- a/deployment/aodh/aodh-listener-container-puppet.yaml +++ b/deployment/aodh/aodh-listener-container-puppet.yaml @@ -114,7 +114,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/aodh, 'setype': container_file_t, 'mode': '0750' } external_upgrade_tasks: - when: - step|int == 1 diff --git a/deployment/aodh/aodh-notifier-container-puppet.yaml b/deployment/aodh/aodh-notifier-container-puppet.yaml index 52ccf7c878..16288619aa 100644 --- a/deployment/aodh/aodh-notifier-container-puppet.yaml +++ b/deployment/aodh/aodh-notifier-container-puppet.yaml @@ -114,8 +114,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/aodh, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/aodh, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/aodh, 'setype': container_file_t } external_upgrade_tasks: - when: - step|int == 1 diff --git a/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml index 92e2d06c16..9e82da87c8 100644 --- a/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml @@ -172,7 +172,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/ceilometer, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/ceilometer, 'setype': container_file_t, 'mode': '0750' } external_upgrade_tasks: - when: - step|int == 1 diff --git a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml index 1134613a87..2a1c16db83 100644 --- a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml @@ -119,7 +119,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/ceilometer, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/ceilometer, 'setype': container_file_t, 'mode': '0750' } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/ceilometer/ceilometer-agent-ipmi-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-ipmi-container-puppet.yaml index 823d6f1545..4b6d59294a 100644 --- a/deployment/ceilometer/ceilometer-agent-ipmi-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-ipmi-container-puppet.yaml @@ -137,7 +137,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/ceilometer, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/ceilometer, 'setype': container_file_t, 'mode': '0750' } fast_forward_upgrade_tasks: - when: - step|int == 0 diff --git a/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml index d68599b533..d8a8baf7ea 100644 --- a/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml @@ -124,7 +124,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/ceilometer, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/ceilometer, 'setype': container_file_t, 'mode': '0750' } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index 9126b234bf..88f4bab1a9 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -376,8 +376,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/cinder-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/cinder-api, 'setype': container_file_t, 'mode': '0750' } external_upgrade_tasks: - when: step|int == 1 block: diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml index e2edfe3693..56e8d809d7 100644 --- a/deployment/cinder/cinder-common-container-puppet.yaml +++ b/deployment/cinder/cinder-common-container-puppet.yaml @@ -72,8 +72,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/cinder, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/cinder, 'setype': container_file_t } - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/deployment/cinder/cinder-scheduler-container-puppet.yaml b/deployment/cinder/cinder-scheduler-container-puppet.yaml index bd76259150..a96b7d9aa3 100644 --- a/deployment/cinder/cinder-scheduler-container-puppet.yaml +++ b/deployment/cinder/cinder-scheduler-container-puppet.yaml @@ -135,7 +135,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/database/mysql-container-puppet.yaml b/deployment/database/mysql-container-puppet.yaml index 4b0732e30e..2a9195bf1e 100644 --- a/deployment/database/mysql-container-puppet.yaml +++ b/deployment/database/mysql-container-puppet.yaml @@ -250,8 +250,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - {'path': /var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t', 'mode': '0750'} - - {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'} + - {'path': /var/log/containers/mysql, 'setype': 'container_file_t', 'mode': '0750'} + - {'path': /var/lib/mysql, 'setype': 'container_file_t'} upgrade_tasks: # LP 1810136 # After upgrade, the new mariadb (e.g. 10.3) might not be able diff --git a/deployment/database/mysql-pacemaker-puppet.yaml b/deployment/database/mysql-pacemaker-puppet.yaml index 9f9e0819b1..664b73365b 100644 --- a/deployment/database/mysql-pacemaker-puppet.yaml +++ b/deployment/database/mysql-pacemaker-puppet.yaml @@ -313,9 +313,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - {'path': /var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t', 'mode': '0750'} - - {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'} - - {'path': /var/log/mariadb, 'setype': 'svirt_sandbox_file_t', 'mode': '0750'} + - {'path': /var/log/containers/mysql, 'setype': 'container_file_t', 'mode': '0750'} + - {'path': /var/lib/mysql, 'setype': 'container_file_t'} + - {'path': /var/log/mariadb, 'setype': 'container_file_t', 'mode': '0750'} metadata_settings: get_attr: [MysqlBase, role_data, metadata_settings] deploy_steps_tasks: diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index e5103b6c2c..239a2bc99f 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -169,7 +169,7 @@ outputs: restart: always systemd_exec_flags: RuntimeDirectory: redis - ExecStartPre: /bin/chcon -t svirt_sandbox_file_t /var/run/redis + ExecStartPre: /bin/chcon -t container_file_t /var/run/redis healthcheck: test: /openstack/healthcheck volumes: @@ -219,8 +219,8 @@ outputs: path: "{{ item.path }}" state: directory with_items: - - { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/redis, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/run/redis, 'setype': container_file_t } - name: ensure /var/run/redis is present upon reboot copy: dest: /etc/tmpfiles.d/var-run-redis.conf diff --git a/deployment/database/redis-pacemaker-puppet.yaml b/deployment/database/redis-pacemaker-puppet.yaml index 0b02c3a126..c355e3b4cf 100644 --- a/deployment/database/redis-pacemaker-puppet.yaml +++ b/deployment/database/redis-pacemaker-puppet.yaml @@ -289,9 +289,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/lib/redis, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/redis, 'setype': container_file_t } + - { 'path': /var/log/containers/redis, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/run/redis, 'setype': container_file_t } - name: ensure /var/run/redis is present upon reboot copy: dest: /etc/tmpfiles.d/var-run-redis.conf diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index c734d92023..888237db21 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -157,7 +157,7 @@ outputs: file: path: /var/lib/etcd state: directory - setype: svirt_sandbox_file_t + setype: container_file_t upgrade_tasks: [] metadata_settings: if: diff --git a/deployment/experimental/designate/designate-api-container-puppet.yaml b/deployment/experimental/designate/designate-api-container-puppet.yaml index f88eb984c4..118ed736c3 100644 --- a/deployment/experimental/designate/designate-api-container-puppet.yaml +++ b/deployment/experimental/designate/designate-api-container-puppet.yaml @@ -165,4 +165,4 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/experimental/designate/designate-central-container-puppet.yaml b/deployment/experimental/designate/designate-central-container-puppet.yaml index 1d2ee6594c..cdf3a39d91 100644 --- a/deployment/experimental/designate/designate-central-container-puppet.yaml +++ b/deployment/experimental/designate/designate-central-container-puppet.yaml @@ -218,4 +218,4 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/experimental/designate/designate-mdns-container-puppet.yaml b/deployment/experimental/designate/designate-mdns-container-puppet.yaml index 6952042035..cf5b192d1f 100644 --- a/deployment/experimental/designate/designate-mdns-container-puppet.yaml +++ b/deployment/experimental/designate/designate-mdns-container-puppet.yaml @@ -175,5 +175,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/designate, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/designate, 'setype': container_file_t } + - { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/experimental/designate/designate-producer-container-puppet.yaml b/deployment/experimental/designate/designate-producer-container-puppet.yaml index d8d0cbe19e..2ed2736314 100644 --- a/deployment/experimental/designate/designate-producer-container-puppet.yaml +++ b/deployment/experimental/designate/designate-producer-container-puppet.yaml @@ -133,4 +133,4 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/experimental/designate/designate-sink-container-puppet.yaml b/deployment/experimental/designate/designate-sink-container-puppet.yaml index c046e310ef..addbd1cb89 100644 --- a/deployment/experimental/designate/designate-sink-container-puppet.yaml +++ b/deployment/experimental/designate/designate-sink-container-puppet.yaml @@ -125,4 +125,4 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/experimental/designate/designate-worker-container-puppet.yaml b/deployment/experimental/designate/designate-worker-container-puppet.yaml index 84844904a6..45cf20930a 100644 --- a/deployment/experimental/designate/designate-worker-container-puppet.yaml +++ b/deployment/experimental/designate/designate-worker-container-puppet.yaml @@ -226,9 +226,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' } - name: create persistent named directory file: path: /var/named-persistent state: directory - setype: svirt_sandbox_file_t + setype: container_file_t diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index 41e5d9c382..f1201bff00 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -121,7 +121,7 @@ parameters: Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true) type: string GlanceNfsOptions: - default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0' + default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0' description: > NFS mount options for image storage (when GlanceNfsEnabled is true) type: string @@ -175,7 +175,7 @@ parameters: URI that specifies the staging location to use when importing images type: string GlanceStagingNfsOptions: - default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0' + default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0' description: > NFS mount options for NFS image import staging type: string @@ -621,7 +621,7 @@ outputs: file: path: /var/lib/glance state: directory - setype: svirt_sandbox_file_t + setype: container_file_t metadata_settings: get_attr: [TLSProxyBase, role_data, metadata_settings] external_upgrade_tasks: diff --git a/deployment/glance/glance-api-logging-file-container.yaml b/deployment/glance/glance-api-logging-file-container.yaml index b8a1dd2aaf..ee0eda4bd8 100644 --- a/deployment/glance/glance-api-logging-file-container.yaml +++ b/deployment/glance/glance-api-logging-file-container.yaml @@ -38,5 +38,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/glance, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/glance, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/glance, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/glance, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index b7a65ca7c9..ea06f51c3f 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -361,9 +361,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': {get_param: GnocchiFileBasePath}, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': container_file_t, 'mode': '0750' } + - { 'path': {get_param: GnocchiFileBasePath}, 'setype': container_file_t } - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/deployment/gnocchi/gnocchi-metricd-container-puppet.yaml b/deployment/gnocchi/gnocchi-metricd-container-puppet.yaml index 25cce2ae26..18a4a987a3 100644 --- a/deployment/gnocchi/gnocchi-metricd-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-metricd-container-puppet.yaml @@ -159,12 +159,12 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' } - name: create persistent data directory file: path: {get_param: GnocchiFileBasePath} state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/deployment/gnocchi/gnocchi-statsd-container-puppet.yaml b/deployment/gnocchi/gnocchi-statsd-container-puppet.yaml index 2fd9e68443..4ae68a5e73 100644 --- a/deployment/gnocchi/gnocchi-statsd-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-statsd-container-puppet.yaml @@ -151,12 +151,12 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' } - name: create persistent data directory file: path: {get_param: GnocchiFileBasePath} state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/deployment/haproxy/haproxy-container-puppet.yaml b/deployment/haproxy/haproxy-container-puppet.yaml index ed5f422f94..ecc7594ab4 100644 --- a/deployment/haproxy/haproxy-container-puppet.yaml +++ b/deployment/haproxy/haproxy-container-puppet.yaml @@ -365,7 +365,7 @@ outputs: setype: "{{ item.setype }}" with_items: - { 'path': /var/log/containers/haproxy, 'setype': var_log_t, 'mode': '0750' } - - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/haproxy, 'setype': container_file_t } metadata_settings: list_concat: - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} diff --git a/deployment/haproxy/haproxy-pacemaker-puppet.yaml b/deployment/haproxy/haproxy-pacemaker-puppet.yaml index 2878345f35..b57823f3d7 100644 --- a/deployment/haproxy/haproxy-pacemaker-puppet.yaml +++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml @@ -306,8 +306,8 @@ outputs: setype: "{{ item.setype }}" with_items: - { 'path': /var/log/containers/haproxy, 'setype': var_log_t, 'mode': '0750' } - - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/haproxy, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/haproxy, 'setype': container_file_t } + - { 'path': /var/log/haproxy, 'setype': container_file_t } metadata_settings: {get_attr: [HAProxyBase, role_data, metadata_settings]} deploy_steps_tasks: diff --git a/deployment/horizon/horizon-container-puppet.yaml b/deployment/horizon/horizon-container-puppet.yaml index 89816cdc7c..668cfbc121 100644 --- a/deployment/horizon/horizon-container-puppet.yaml +++ b/deployment/horizon/horizon-container-puppet.yaml @@ -320,9 +320,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/www, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/www, 'setype': container_file_t } upgrade_tasks: [] external_upgrade_tasks: - when: diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index edca1b53f0..9c33ccf105 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -281,8 +281,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/ironic-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' } external_upgrade_tasks: - when: step|int == 1 block: diff --git a/deployment/ironic/ironic-conductor-container-puppet.yaml b/deployment/ironic/ironic-conductor-container-puppet.yaml index 0f21772b07..9122783efc 100644 --- a/deployment/ironic/ironic-conductor-container-puppet.yaml +++ b/deployment/ironic/ironic-conductor-container-puppet.yaml @@ -554,8 +554,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/ironic, 'setype': container_file_t } - name: stat /httpboot stat: path=/httpboot register: stat_httpboot diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 1e9f83534f..c5b0d84427 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -491,9 +491,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/ironic-inspector, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/ironic-inspector, 'setype': container_file_t, 'mode': '0750' } - name: create persistent ironic-inspector dnsmasq dhcp hostsdir file: path: /var/lib/ironic-inspector/dhcp-hostsdir state: directory - setype: svirt_sandbox_file_t + setype: container_file_t diff --git a/deployment/ironic/ironic-pxe-container-puppet.yaml b/deployment/ironic/ironic-pxe-container-puppet.yaml index 80ffeedf49..f91973b771 100644 --- a/deployment/ironic/ironic-pxe-container-puppet.yaml +++ b/deployment/ironic/ironic-pxe-container-puppet.yaml @@ -166,6 +166,6 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/ironic-pxe, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/lib/ironic, 'setype': container_file_t } + - { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/ironic-pxe, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/iscsid/iscsid-container-puppet.yaml b/deployment/iscsid/iscsid-container-puppet.yaml index ac1b3f2b57..de4d584bcc 100644 --- a/deployment/iscsid/iscsid-container-puppet.yaml +++ b/deployment/iscsid/iscsid-container-puppet.yaml @@ -99,12 +99,12 @@ outputs: file: path: /etc/iscsi state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - name: ensure /var/lib/iscsi exists file: path: /var/lib/iscsi state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - name: stat /lib/systemd/system/iscsid.socket stat: path=/lib/systemd/system/iscsid.socket register: stat_iscsid_socket diff --git a/deployment/keepalived/keepalived-container-puppet.yaml b/deployment/keepalived/keepalived-container-puppet.yaml index d4f71f65e5..b79a2206f2 100644 --- a/deployment/keepalived/keepalived-container-puppet.yaml +++ b/deployment/keepalived/keepalived-container-puppet.yaml @@ -149,4 +149,4 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/keepalived, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/keepalived, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/barbican-api.yaml b/deployment/logging/files/barbican-api.yaml index 4d49694cd4..8f2e422d5d 100644 --- a/deployment/logging/files/barbican-api.yaml +++ b/deployment/logging/files/barbican-api.yaml @@ -39,5 +39,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/barbican, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/barbican-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/barbican, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/barbican-api, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/heat-api-cfn.yaml b/deployment/logging/files/heat-api-cfn.yaml index cbd36c8183..2d570bafc9 100644 --- a/deployment/logging/files/heat-api-cfn.yaml +++ b/deployment/logging/files/heat-api-cfn.yaml @@ -25,5 +25,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/heat, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/heat-api-cfn, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/heat, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/heat-api-cfn, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/heat-api.yaml b/deployment/logging/files/heat-api.yaml index 82258212c4..fc7cd9d960 100644 --- a/deployment/logging/files/heat-api.yaml +++ b/deployment/logging/files/heat-api.yaml @@ -25,5 +25,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/heat, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/heat-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/heat, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/heat-api, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/heat-engine.yaml b/deployment/logging/files/heat-engine.yaml index 93b3704083..05448d3a1a 100644 --- a/deployment/logging/files/heat-engine.yaml +++ b/deployment/logging/files/heat-engine.yaml @@ -40,4 +40,4 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/heat, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/heat, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/keystone.yaml b/deployment/logging/files/keystone.yaml index 952c40af76..1fd988ceb0 100644 --- a/deployment/logging/files/keystone.yaml +++ b/deployment/logging/files/keystone.yaml @@ -40,5 +40,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/keystone, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/keystone, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/keystone, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/keystone, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/neutron-api.yaml b/deployment/logging/files/neutron-api.yaml index 424513bb6c..722c3cba96 100644 --- a/deployment/logging/files/neutron-api.yaml +++ b/deployment/logging/files/neutron-api.yaml @@ -48,5 +48,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/neutron, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/neutron-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/neutron, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/neutron-api, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/neutron-common.yaml b/deployment/logging/files/neutron-common.yaml index 3f2989c1bb..c6a18cac9b 100644 --- a/deployment/logging/files/neutron-common.yaml +++ b/deployment/logging/files/neutron-common.yaml @@ -36,4 +36,4 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/neutron, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/neutron, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/nova-api.yaml b/deployment/logging/files/nova-api.yaml index dddd391e44..3fd7396247 100644 --- a/deployment/logging/files/nova-api.yaml +++ b/deployment/logging/files/nova-api.yaml @@ -48,5 +48,5 @@ outputs: setype: "{{ item.setype }}" state: directory with_items: - - { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/nova-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/nova, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/nova-api, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/nova-common.yaml b/deployment/logging/files/nova-common.yaml index 43d3c5435e..6a4a1219e4 100644 --- a/deployment/logging/files/nova-common.yaml +++ b/deployment/logging/files/nova-common.yaml @@ -68,4 +68,4 @@ outputs: setype: "{{ item.setype }}" state: directory with_items: - - { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/nova, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/nova-libvirt.yaml b/deployment/logging/files/nova-libvirt.yaml index dc9cff9216..77d64bb380 100644 --- a/deployment/logging/files/nova-libvirt.yaml +++ b/deployment/logging/files/nova-libvirt.yaml @@ -38,4 +38,4 @@ outputs: setype: "{{ item.setype }}" state: directory with_items: - - { 'path': /var/log/containers/libvirt, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/libvirt, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/nova-metadata.yaml b/deployment/logging/files/nova-metadata.yaml index 1df5e8e578..958625133c 100644 --- a/deployment/logging/files/nova-metadata.yaml +++ b/deployment/logging/files/nova-metadata.yaml @@ -37,5 +37,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/nova-metadata, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/nova, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/nova-metadata, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/files/placement-api.yaml b/deployment/logging/files/placement-api.yaml index a730640775..7c55076a91 100644 --- a/deployment/logging/files/placement-api.yaml +++ b/deployment/logging/files/placement-api.yaml @@ -37,5 +37,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/placement, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/placement, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/placement, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/placement, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/logging/rsyslog-container-puppet.yaml b/deployment/logging/rsyslog-container-puppet.yaml index a6a3c85a63..285ff21c4b 100644 --- a/deployment/logging/rsyslog-container-puppet.yaml +++ b/deployment/logging/rsyslog-container-puppet.yaml @@ -221,10 +221,10 @@ outputs: file: path: /var/log/containers/rsyslog state: directory - setype: svirt_sandbox_file_t + setype: container_file_t mode: '0750' - name: create persistent state directory for rsyslog file: path: /var/lib/rsyslog.container state: directory - setype: svirt_sandbox_file_t + setype: container_file_t diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index e9eb3a65c9..40dd4ca0ba 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -251,8 +251,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/manila-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/manila, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/manila-api, 'setype': container_file_t, 'mode': '0750' } upgrade_tasks: [] fast_forward_upgrade_tasks: - name: Check if manila_api is deployed diff --git a/deployment/manila/manila-scheduler-container-puppet.yaml b/deployment/manila/manila-scheduler-container-puppet.yaml index b2025bbd18..1332084ef3 100644 --- a/deployment/manila/manila-scheduler-container-puppet.yaml +++ b/deployment/manila/manila-scheduler-container-puppet.yaml @@ -109,7 +109,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/manila, 'setype': container_file_t, 'mode': '0750' } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/manila/manila-share-container-puppet.yaml b/deployment/manila/manila-share-container-puppet.yaml index 490c2a0355..adfbcd4282 100644 --- a/deployment/manila/manila-share-container-puppet.yaml +++ b/deployment/manila/manila-share-container-puppet.yaml @@ -164,8 +164,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/manila, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/manila, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/manila, 'setype': container_file_t } - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/deployment/manila/manila-share-pacemaker-puppet.yaml b/deployment/manila/manila-share-pacemaker-puppet.yaml index 126280e0b9..fccd46fb31 100644 --- a/deployment/manila/manila-share-pacemaker-puppet.yaml +++ b/deployment/manila/manila-share-pacemaker-puppet.yaml @@ -201,8 +201,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/manila, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/manila, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/manila, 'setype': container_file_t } - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml index f0cead07ea..b675fa77cb 100644 --- a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml +++ b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml @@ -149,6 +149,6 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/qdrouterd, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/qdrouterd, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/qdrouterd, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/qdrouterd, 'setype': container_file_t } metadata_settings: {} diff --git a/deployment/metrics/collectd-container-puppet.yaml b/deployment/metrics/collectd-container-puppet.yaml index 5b9eebeb07..e8358d1118 100644 --- a/deployment/metrics/collectd-container-puppet.yaml +++ b/deployment/metrics/collectd-container-puppet.yaml @@ -681,7 +681,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/collectd, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/collectd, 'setype': container_file_t, 'mode': '0750' } fast_forward_upgrade_tasks: - when: - step|int == 0 diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml index db4544b541..b9b14fb00b 100644 --- a/deployment/metrics/qdr-container-puppet.yaml +++ b/deployment/metrics/qdr-container-puppet.yaml @@ -315,5 +315,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/metrics-qdr, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/metrics-qdr, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/metrics-qdr, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/metrics-qdr, 'setype': container_file_t } diff --git a/deployment/mistral/mistral-api-container-puppet.yaml b/deployment/mistral/mistral-api-container-puppet.yaml index 53f3976a80..f2be3b7f40 100644 --- a/deployment/mistral/mistral-api-container-puppet.yaml +++ b/deployment/mistral/mistral-api-container-puppet.yaml @@ -249,7 +249,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/mistral, 'setype': container_file_t, 'mode': '0750' } deploy_steps_tasks: - name: Copy in action mapping file when: step|int == 3 diff --git a/deployment/mistral/mistral-engine-container-puppet.yaml b/deployment/mistral/mistral-engine-container-puppet.yaml index 60903f8b56..c5ce91398e 100644 --- a/deployment/mistral/mistral-engine-container-puppet.yaml +++ b/deployment/mistral/mistral-engine-container-puppet.yaml @@ -137,7 +137,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/mistral, 'setype': container_file_t, 'mode': '0750' } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/mistral/mistral-event-engine-container-puppet.yaml b/deployment/mistral/mistral-event-engine-container-puppet.yaml index 90f793187a..cd73fce613 100644 --- a/deployment/mistral/mistral-event-engine-container-puppet.yaml +++ b/deployment/mistral/mistral-event-engine-container-puppet.yaml @@ -112,7 +112,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/mistral, 'setype': container_file_t, 'mode': '0750' } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/mistral/mistral-executor-container-puppet.yaml b/deployment/mistral/mistral-executor-container-puppet.yaml index 858207ca52..b1463e7d76 100644 --- a/deployment/mistral/mistral-executor-container-puppet.yaml +++ b/deployment/mistral/mistral-executor-container-puppet.yaml @@ -218,8 +218,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/mistral, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/mistral, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/mistral, 'setype': container_file_t } - name: create mistral/.ssh directory file: path: /var/lib/mistral/.ssh @@ -237,18 +237,18 @@ outputs: src: "{{ undercloud_cfg_file }}" dest: /var/lib/mistral/undercloud.conf mode: 0444 - setype: svirt_sandbox_file_t + setype: container_file_t local_follow: true - name: create ceph-ansible source directory file: path: /usr/share/ceph-ansible state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - name: create octavia-amphora-images directory file: path: /usr/share/openstack-octavia-amphora-images state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/multipathd/multipathd-container.yaml b/deployment/multipathd/multipathd-container.yaml index 02515ce49c..dafe597956 100644 --- a/deployment/multipathd/multipathd-container.yaml +++ b/deployment/multipathd/multipathd-container.yaml @@ -154,10 +154,10 @@ outputs: file: path: /etc/multipath state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - name: ensure /etc/multipath.conf exists file: path: /etc/multipath.conf state: touch - setype: svirt_sandbox_file_t + setype: container_file_t upgrade_tasks: [] diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index 8df02d7a4f..88a98c0769 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -414,7 +414,7 @@ outputs: file: path: /var/lib/neutron state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - - name: enable virt_sandbox_use_netlink for healtcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/neutron/neutron-l3-container-puppet.yaml b/deployment/neutron/neutron-l3-container-puppet.yaml index 027c93d72a..291fab91ba 100644 --- a/deployment/neutron/neutron-l3-container-puppet.yaml +++ b/deployment/neutron/neutron-l3-container-puppet.yaml @@ -370,7 +370,7 @@ outputs: file: path: /var/lib/neutron state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - - name: enable virt_sandbox_use_netlink for healtcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/neutron/neutron-metadata-container-puppet.yaml b/deployment/neutron/neutron-metadata-container-puppet.yaml index 542e0570ce..c863306ab7 100644 --- a/deployment/neutron/neutron-metadata-container-puppet.yaml +++ b/deployment/neutron/neutron-metadata-container-puppet.yaml @@ -203,7 +203,7 @@ outputs: file: path: /var/lib/neutron state: directory - setype: svirt_sandbox_file_t + setype: container_file_t - - name: enable virt_sandbox_use_netlink for healtcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index ed4f9f89c2..2193ce548b 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -953,9 +953,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t } - - { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t } - - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/nova, 'setype': container_file_t } + - { 'path': /var/lib/nova/instances, 'setype': container_file_t } + - { 'path': /var/lib/libvirt, 'setype': container_file_t } - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml index 18147a9d2f..800e9fa681 100644 --- a/deployment/nova/nova-ironic-container-puppet.yaml +++ b/deployment/nova/nova-ironic-container-puppet.yaml @@ -221,8 +221,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/nova, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/nova, 'setype': container_file_t } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 7b3fec65a6..3336e3254d 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -827,14 +827,14 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t } - - { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t } - - { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t } - - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t } - - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t } + - { 'path': /etc/libvirt, 'setype': container_file_t } + - { 'path': /etc/libvirt/secrets, 'setype': container_file_t } + - { 'path': /etc/libvirt/qemu, 'setype': container_file_t } + - { 'path': /var/lib/libvirt, 'setype': container_file_t } + - { 'path': /var/lib/nova, 'setype': container_file_t } - { 'path': /var/run/libvirt, 'setype': virt_var_run_t } - - { 'path': /var/log/libvirt, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/libvirt/qemu, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/libvirt, 'setype': container_file_t } + - { 'path': /var/log/libvirt/qemu, 'setype': container_file_t } # qemu user on host will be cretaed by libvirt package install, ensure # the qemu user created with same uid/gid as like libvirt package. # These specific values are required since ovs is running on host. diff --git a/deployment/nova/novajoin-container-puppet.yaml b/deployment/nova/novajoin-container-puppet.yaml index 089ce93a6a..d0c878616c 100644 --- a/deployment/nova/novajoin-container-puppet.yaml +++ b/deployment/nova/novajoin-container-puppet.yaml @@ -246,7 +246,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/novajoin, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/novajoin, 'setype': container_file_t, 'mode': '0750' } - name: Enroll to FreeIPA command: ipa-client-install -U --password={{ ipa_otp }} args: diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index ae56b11ac3..8dac65ed87 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -353,9 +353,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/octavia-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/run/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/run/octavia, 'setype': container_file_t, 'mode': '0750' } update_tasks: - name: Set internal tls variable set_fact: diff --git a/deployment/octavia/octavia-health-manager-container-puppet.yaml b/deployment/octavia/octavia-health-manager-container-puppet.yaml index 4f76ff1909..4790780dee 100644 --- a/deployment/octavia/octavia-health-manager-container-puppet.yaml +++ b/deployment/octavia/octavia-health-manager-container-puppet.yaml @@ -155,4 +155,4 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' } diff --git a/deployment/octavia/octavia-housekeeping-container-puppet.yaml b/deployment/octavia/octavia-housekeeping-container-puppet.yaml index a50c9e182a..269f1f9a3f 100644 --- a/deployment/octavia/octavia-housekeeping-container-puppet.yaml +++ b/deployment/octavia/octavia-housekeeping-container-puppet.yaml @@ -154,5 +154,5 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' } upgrade_tasks: [] diff --git a/deployment/octavia/octavia-worker-container-puppet.yaml b/deployment/octavia/octavia-worker-container-puppet.yaml index 93ff5661a8..877c0a041f 100644 --- a/deployment/octavia/octavia-worker-container-puppet.yaml +++ b/deployment/octavia/octavia-worker-container-puppet.yaml @@ -141,7 +141,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' } - name: Ensure packages required for configuring octavia are present package: name: diff --git a/deployment/openvswitch/openvswitch-dpdk-netcontrold-container-ansible.yaml b/deployment/openvswitch/openvswitch-dpdk-netcontrold-container-ansible.yaml index d2e1102221..67254d9fc5 100644 --- a/deployment/openvswitch/openvswitch-dpdk-netcontrold-container-ansible.yaml +++ b/deployment/openvswitch/openvswitch-dpdk-netcontrold-container-ansible.yaml @@ -78,4 +78,4 @@ outputs: file: path: "/var/log/containers/netcontrold" state: directory - setype: "svirt_sandbox_file_t" + setype: "container_file_t" diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index 6ddac9ee53..cb136042e7 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -286,8 +286,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/ovn/ovn-dbs-container-puppet.yaml b/deployment/ovn/ovn-dbs-container-puppet.yaml index 7f41819a23..a2341049eb 100644 --- a/deployment/ovn/ovn-dbs-container-puppet.yaml +++ b/deployment/ovn/ovn-dbs-container-puppet.yaml @@ -202,6 +202,6 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t } upgrade_tasks: [] diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index ce9b9b7342..2d5aa323b7 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -252,8 +252,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t } deploy_steps_tasks: - name: OVN DBS tag container image for pacemaker when: step|int == 1 diff --git a/deployment/ovn/ovn-metadata-container-puppet.yaml b/deployment/ovn/ovn-metadata-container-puppet.yaml index 07bb6ff979..bccaba9edf 100644 --- a/deployment/ovn/ovn-metadata-container-puppet.yaml +++ b/deployment/ovn/ovn-metadata-container-puppet.yaml @@ -370,5 +370,5 @@ outputs: file: path: /var/lib/neutron state: directory - setype: svirt_sandbox_file_t + setype: container_file_t upgrade_tasks: [] diff --git a/deployment/qdr/qdrouterd-container-puppet.yaml b/deployment/qdr/qdrouterd-container-puppet.yaml index 1f01b2be8f..e7d74a4960 100644 --- a/deployment/qdr/qdrouterd-container-puppet.yaml +++ b/deployment/qdr/qdrouterd-container-puppet.yaml @@ -139,6 +139,6 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/qdrouterd, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/qdrouterd, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/qdrouterd, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/qdrouterd, 'setype': container_file_t } metadata_settings: {} diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index 3a9101ce61..0329f1b95c 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -346,8 +346,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/rabbitmq, 'setype': container_file_t } # TODO: Removal of package upgrade_tasks: [] update_tasks: diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index ae3caabbaa..bda21e7dcb 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -295,8 +295,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/rabbitmq, 'setype': container_file_t } upgrade_tasks: [] update_tasks: # TODO: Are we sure we want to support this. Rolling update diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml index 416f4650cc..4082226066 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml @@ -245,8 +245,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/lib/rabbitmq, 'setype': container_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' } - name: stop the Erlang port mapper on the host and make sure it cannot bind to the port used by container shell: | echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf diff --git a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml index 46cebe8ac6..f186e87709 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml @@ -245,8 +245,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/lib/rabbitmq, 'setype': container_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' } - name: stop the Erlang port mapper on the host and make sure it cannot bind to the port used by container shell: | echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index fa42b93f81..4050e7fc9f 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -290,8 +290,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/rabbitmq, 'setype': container_file_t } upgrade_tasks: [] update_tasks: # TODO: Are we sure we want to support this. Rolling update diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml index f623013a72..821e447d07 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml @@ -253,8 +253,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/lib/rabbitmq, 'setype': container_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' } - name: stop the Erlang port mapper on the host and make sure it cannot bind to the port used by container shell: | echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf diff --git a/deployment/sahara/sahara-api-container-puppet.yaml b/deployment/sahara/sahara-api-container-puppet.yaml index 0876b8989c..12581e4d98 100644 --- a/deployment/sahara/sahara-api-container-puppet.yaml +++ b/deployment/sahara/sahara-api-container-puppet.yaml @@ -210,8 +210,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/sahara, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/sahara, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/sahara, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/sahara, 'setype': container_file_t } fast_forward_upgrade_tasks: - when: - step|int == 0 diff --git a/deployment/sahara/sahara-engine-container-puppet.yaml b/deployment/sahara/sahara-engine-container-puppet.yaml index 77243b49c4..181aedeb43 100644 --- a/deployment/sahara/sahara-engine-container-puppet.yaml +++ b/deployment/sahara/sahara-engine-container-puppet.yaml @@ -127,8 +127,8 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/sahara, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/sahara, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/sahara, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/sahara, 'setype': container_file_t } - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index cb4515fe91..3e4bf5040e 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -433,9 +433,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /srv/node, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/swift, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/containers/swift, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /srv/node, 'setype': container_file_t } + - { 'path': /var/log/swift, 'setype': container_file_t } + - { 'path': /var/log/containers/swift, 'setype': container_file_t, 'mode': '0750' } deploy_steps_tasks: - name: Configure rsyslog for swift-proxy when: step|int == 1 diff --git a/deployment/swift/swift-storage-container-puppet.yaml b/deployment/swift/swift-storage-container-puppet.yaml index 15168c68ea..0e6dfd7887 100644 --- a/deployment/swift/swift-storage-container-puppet.yaml +++ b/deployment/swift/swift-storage-container-puppet.yaml @@ -596,9 +596,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /srv/node, 'setype': svirt_sandbox_file_t } - - { 'path': /var/cache/swift, 'setype': svirt_sandbox_file_t } - - { 'path': /var/log/containers/swift, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /srv/node, 'setype': container_file_t } + - { 'path': /var/cache/swift, 'setype': container_file_t } + - { 'path': /var/log/containers/swift, 'setype': container_file_t, 'mode': '0750' } - name: Set swift_use_local_disks fact set_fact: swift_use_local_disks: {get_param: SwiftUseLocalDir} diff --git a/deployment/undercloud/tempest-container-puppet.yaml b/deployment/undercloud/tempest-container-puppet.yaml index f285ec896e..f42a7796a3 100644 --- a/deployment/undercloud/tempest-container-puppet.yaml +++ b/deployment/undercloud/tempest-container-puppet.yaml @@ -59,9 +59,9 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/tempest, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/lib/tempestdata, 'setype': svirt_sandbox_file_t } - - { 'path': /var/lib/tempest, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/tempest, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/lib/tempestdata, 'setype': container_file_t } + - { 'path': /var/lib/tempest, 'setype': container_file_t } puppet_config: config_volume: '' step_config: '' diff --git a/deployment/zaqar/zaqar-container-puppet.yaml b/deployment/zaqar/zaqar-container-puppet.yaml index 7cf08735f3..c1093d6a38 100644 --- a/deployment/zaqar/zaqar-container-puppet.yaml +++ b/deployment/zaqar/zaqar-container-puppet.yaml @@ -388,7 +388,7 @@ outputs: state: directory setype: "{{ item.setype }}" with_items: - - { 'path': /var/log/containers/zaqar, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - - { 'path': /var/log/containers/httpd/zaqar, 'setype': svirt_sandbox_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/zaqar, 'setype': container_file_t, 'mode': '0750' } + - { 'path': /var/log/containers/httpd/zaqar, 'setype': container_file_t, 'mode': '0750' } metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/environments/storage-environment.yaml b/environments/storage-environment.yaml index eb5439e3a0..f6191b5d48 100644 --- a/environments/storage-environment.yaml +++ b/environments/storage-environment.yaml @@ -50,7 +50,7 @@ parameter_defaults: ## e.g. "'[fdd0::1]:/export/glance'") # GlanceNfsShare: '' ## Mount options for the NFS image storage mount point - # GlanceNfsOptions: 'intr,context=system_u:object_r:svirt_sandbox_file_t:s0' + # GlanceNfsOptions: 'intr,context=system_u:object_r:container_file_t:s0' #### NOVA NFS SETTINGS #### diff --git a/environments/storage/glance-nfs.yaml b/environments/storage/glance-nfs.yaml index 21f5c68eef..0ae729524d 100644 --- a/environments/storage/glance-nfs.yaml +++ b/environments/storage/glance-nfs.yaml @@ -19,7 +19,7 @@ parameter_defaults: # NFS mount options for image storage (when GlanceNfsEnabled is true) # Type: string - GlanceNfsOptions: _netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0 + GlanceNfsOptions: _netdev,bg,intr,context=system_u:object_r:container_file_t:s0 # NFS share to mount for image storage (when GlanceNfsEnabled is true) # Type: string @@ -31,7 +31,7 @@ parameter_defaults: # NFS mount options for NFS image import staging # Type: string - GlanceStagingNfsOptions: _netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0 + GlanceStagingNfsOptions: _netdev,bg,intr,context=system_u:object_r:container_file_t:s0 # NFS share to mount for image import staging # Type: string diff --git a/releasenotes/notes/svirt_sandbox_file_t-to-container_file_t-f4914561f6e9e4c7.yaml b/releasenotes/notes/svirt_sandbox_file_t-to-container_file_t-f4914561f6e9e4c7.yaml new file mode 100644 index 0000000000..dd45b7f9f7 --- /dev/null +++ b/releasenotes/notes/svirt_sandbox_file_t-to-container_file_t-f4914561f6e9e4c7.yaml @@ -0,0 +1,5 @@ +--- +other: + - Not a functionnal change, only cosmetics. For better understanding and + readability, changing all the svirt_sandbox_file_t to shorter, nicer + container_file_t