Add SELinux management to containerized undercloud

In instack-undercloud we manage the selinux configuration during the
deployment. This change exposes the configuration as a new tripleo
service for selinux so we can configure it.

Change-Id: I2109bf62e307df92b6bdb57600c58dd61482f46d
Partial-Bug: #1779005

environments/undercloud.yaml

@@ -7,6 +7,9 @@ resource_registry:
   # Allows us to control the external VIP for Undercloud SSL
   OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_from_pool.yaml
 
+  # We managed this in instack-undercloud, so we need to manage it here.
+  OS::TripleO::Services::SELinux: ../puppet/services/selinux.yaml
+
   # services we disable by default on the undercloud
   OS::TripleO::Services::AodhApi: OS::Heat::None
   OS::TripleO::Services::AodhEvaluator: OS::Heat::None

overcloud-resource-registry-puppet.j2.yaml

@@ -187,6 +187,7 @@ resource_registry:
   OS::TripleO::Services::TripleoUI: OS::Heat::None
   OS::TripleO::Services::Tuned: puppet/services/tuned.yaml
   OS::TripleO::Services::Securetty: OS::Heat::None
+  OS::TripleO::Services::SELinux: OS::Heat::None
   OS::TripleO::Services::Sshd: docker/services/sshd.yaml
   OS::TripleO::Services::Redis: docker/services/database/redis.yaml
   OS::TripleO::Services::MongoDb: puppet/services/disabled/mongodb-disabled.yaml

puppet/services/selinux.yaml

@@ -0,0 +1,48 @@
+heat_template_version: rocky
+
+description: >
+  Configure SELinux
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  SELinuxMode:
+    default: 'enforcing'
+    description: Configures SELinux mode
+    type: string
+    constraints:
+      - allowed_values: [ 'enforcing', 'permissive', 'disabled' ]
+
+outputs:
+  role_data:
+    description: SELinux configuration
+    value:
+      service_name: selinux
+      config_settings:
+          tripleo::selinux::mode: {get_param: SELinuxMode}
+      step_config: |
+        include ::tripleo::selinux

releasenotes/notes/undercloud-selinux-37fc6f69a9753109.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Added support to be able to configure SELinux with the containerized
+    undercloud. By default it is `enforcing`. To disable SELinux, use
+    `SELinuxMode: permissive` as part of the deployment extra configuration.

roles/Undercloud.yaml

@@ -75,6 +75,7 @@
     - OS::TripleO::Services::PankoApi
     - OS::TripleO::Services::Redis
     - OS::TripleO::Services::Rhsm
+    - OS::TripleO::Services::SELinux
     - OS::TripleO::Services::Sshd
     - OS::TripleO::Services::SwiftProxy
     - OS::TripleO::Services::SwiftRingBuilder

roles_data_undercloud.yaml

@@ -78,6 +78,7 @@
     - OS::TripleO::Services::PankoApi
     - OS::TripleO::Services::Redis
     - OS::TripleO::Services::Rhsm
+    - OS::TripleO::Services::SELinux
     - OS::TripleO::Services::Sshd
     - OS::TripleO::Services::SwiftProxy
     - OS::TripleO::Services::SwiftRingBuilder