From d77fe55516ce93a8984108daccbb75b72095503f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 23 Mar 2021 12:42:06 +0100 Subject: [PATCH] Ensure SELinux context persist across restorecon and reboot Until now, we only relied on the ":z" flag in order to set container volumes label to container_file_t. While it works fine, it has multiple issues: - if an operator runs a restorecon, it might break the container service - if an SELinux related package is updated, it might reset the label, and break the container service - it requires a container stop&start to reset the label to the expected value - in case of deep tree or huge amount of file, relabelling takes time This change ensures the system sets the expected context on the specific locations, instead of following the content of selinux-policy-targeted rulesets. It has an equivalent for some locations in tripleo-ansible repository: https://review.opendev.org/c/openstack/tripleo-ansible/+/782393 Note about swift locations: Since openstack-selinux already sets fcontext rules for, at least, once swift location, we can't override it here. The following openstack-selinux patch is being pushed in order to work around this specific case: https://github.com/redhat-openstack/openstack-selinux/pull/73 Change-Id: Icb7f58004e281b42141c70a9a4895905dc32b45d Resolves: rhbz#1941922 --- common/common-container-config-scripts.yaml | 8 ++++++++ deployment/cinder/cinder-common-container-puppet.yaml | 5 +++++ deployment/database/mysql-container-puppet.yaml | 5 +++++ deployment/database/redis-container-puppet.yaml | 5 +++++ deployment/ironic/ironic-conductor-container-puppet.yaml | 5 +++++ deployment/ironic/ironic-inspector-container-puppet.yaml | 5 +++++ deployment/iscsid/iscsid-container-puppet.yaml | 9 +++++++++ deployment/manila/manila-share-container-puppet.yaml | 5 +++++ deployment/messaging/rpc-qdrouterd-container-puppet.yaml | 5 +++++ deployment/qdr/qdrouterd-container-puppet.yaml | 5 +++++ deployment/rabbitmq/rabbitmq-container-puppet.yaml | 5 +++++ .../rabbitmq-messaging-notify-container-puppet.yaml | 5 +++++ .../rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml | 5 +++++ .../rabbitmq-messaging-rpc-container-puppet.yaml | 5 +++++ .../rabbitmq-messaging-rpc-pacemaker-puppet.yaml | 5 +++++ deployment/swift/swift-storage-container-puppet.yaml | 4 ++++ 16 files changed, 86 insertions(+) diff --git a/common/common-container-config-scripts.yaml b/common/common-container-config-scripts.yaml index 41ea793a5f..f4fa1cb3b9 100644 --- a/common/common-container-config-scripts.yaml +++ b/common/common-container-config-scripts.yaml @@ -1,3 +1,11 @@ +- name: Create fcontext entry for container-config-scripts + sefcontext: + target: "/var/lib/container-config-scripts(/.*)?" + setype: container_file_t + state: present + tags: + - container_config_scripts + - name: Create /var/lib/container-config-scripts become: true file: diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml index c6ebddecaa..8a6c9712bf 100644 --- a/deployment/cinder/cinder-common-container-puppet.yaml +++ b/deployment/cinder/cinder-common-container-puppet.yaml @@ -107,6 +107,11 @@ outputs: cinder_common_host_prep_tasks: description: Common host prep tasks for cinder-volume and cinder-backup services value: &cinder_common_host_prep_tasks + - name: create fcontext entry for cinder data + sefcontext: + target: "/var/lib/cinder(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/database/mysql-container-puppet.yaml b/deployment/database/mysql-container-puppet.yaml index 6bad2bd670..0857571b73 100644 --- a/deployment/database/mysql-container-puppet.yaml +++ b/deployment/database/mysql-container-puppet.yaml @@ -261,6 +261,11 @@ outputs: deploy_steps_tasks: get_attr: [MysqlBase, role_data, deploy_steps_tasks] host_prep_tasks: + - name: create fcontext entry for mysql data + sefcontext: + target: "/var/lib/mysql(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index 88c4f9a86e..a495675080 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -242,6 +242,11 @@ outputs: ca: ipa - null host_prep_tasks: + - name: create fcontext entry for redis data + sefcontext: + target: "/var/run/redis(/.*)?" # conflicts with equivalency rule '/run /var/run' - have to use /var/run here... + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/ironic/ironic-conductor-container-puppet.yaml b/deployment/ironic/ironic-conductor-container-puppet.yaml index 02f762131e..c250aee07a 100644 --- a/deployment/ironic/ironic-conductor-container-puppet.yaml +++ b/deployment/ironic/ironic-conductor-container-puppet.yaml @@ -590,6 +590,11 @@ outputs: vars: modules: - name: iscsi_tcp + - name: create fcontext entry for ironic data + sefcontext: + target: "/var/lib/ironic(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 5cefaf870f..733002e340 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -519,6 +519,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for ironic-inspector data + sefcontext: + target: "/var/lib/ironic-inspector/dhcp-hostsdir(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/iscsid/iscsid-container-puppet.yaml b/deployment/iscsid/iscsid-container-puppet.yaml index c35ee162e8..84872b102b 100644 --- a/deployment/iscsid/iscsid-container-puppet.yaml +++ b/deployment/iscsid/iscsid-container-puppet.yaml @@ -144,6 +144,15 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for iscsi + sefcontext: + target: "{{ item.path }}(/.*)?" + setype: "{{ item.setype }}" + state: present + with_items: + - { 'path': /etc/iscsi, 'setype': container_file_t } + - { 'path': /etc/target, 'setype': container_file_t } + - { 'path': /var/lib/iscsi, 'setype': container_file_t } - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/manila/manila-share-container-puppet.yaml b/deployment/manila/manila-share-container-puppet.yaml index 9828b095b0..9dec235c0f 100644 --- a/deployment/manila/manila-share-container-puppet.yaml +++ b/deployment/manila/manila-share-container-puppet.yaml @@ -178,6 +178,11 @@ outputs: volumes: {get_attr: [ManilaShareCommon, manila_share_volumes]} environment: {get_attr: [ManilaShareCommon, manila_share_environment]} host_prep_tasks: + - name: create fcontext entry for manila data + sefcontext: + target: "/var/lib/manila(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml index a230cda174..969a5fe7a1 100644 --- a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml +++ b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml @@ -140,6 +140,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for qdrouterd data + sefcontext: + target: "/var/lib/qdrouterd(/.*)?" + setype: container_file_t + state: present - name: create persistent logs directory file: path: "{{ item.path }}" diff --git a/deployment/qdr/qdrouterd-container-puppet.yaml b/deployment/qdr/qdrouterd-container-puppet.yaml index a0173bd268..c3913b2009 100644 --- a/deployment/qdr/qdrouterd-container-puppet.yaml +++ b/deployment/qdr/qdrouterd-container-puppet.yaml @@ -130,6 +130,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for qrouterd data + sefcontext: + target: "/var/lib/qdrouterd(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index 7949f26170..edf4aa7817 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -389,6 +389,11 @@ outputs: ca: ipa - null host_prep_tasks: + - name: creat fcontext entry for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index cccce7a036..89c5a9ded2 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -324,6 +324,11 @@ outputs: ca: ipa - null host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml index 1e8cda5218..98ce849dce 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml @@ -221,6 +221,11 @@ outputs: # update (scale-out, etc.) TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index b82d5de136..4533670939 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -324,6 +324,11 @@ outputs: ca: ipa - null host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml index 498b1f0439..56f23e55b1 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml @@ -223,6 +223,11 @@ outputs: metadata_settings: get_attr: [RabbitmqBase, role_data, metadata_settings] host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/swift/swift-storage-container-puppet.yaml b/deployment/swift/swift-storage-container-puppet.yaml index 50a7e0956d..063c0c2fc6 100644 --- a/deployment/swift/swift-storage-container-puppet.yaml +++ b/deployment/swift/swift-storage-container-puppet.yaml @@ -602,6 +602,10 @@ outputs: - {} host_prep_tasks: + # NOTE: we can't set fcontext for swift locations since they are + # already set in openstack-selinux package. In order to work around + # this specific case, the following change is being pushed: + # https://github.com/redhat-openstack/openstack-selinux/pull/73 - name: create persistent directories file: path: "{{ item.path }}"