Merge "Ensure SELinux context persist across restorecon and reboot"

common/common-container-config-scripts.yaml

@@ -1,3 +1,11 @@
+- name: Create fcontext entry for container-config-scripts
+  sefcontext:
+    target: "/var/lib/container-config-scripts(/.*)?"
+    setype: container_file_t
+    state: present
+  tags:
+    - container_config_scripts
+
 - name: Create /var/lib/container-config-scripts
   become: true
   file:

deployment/cinder/cinder-common-container-puppet.yaml

@@ -107,6 +107,11 @@ outputs:
   cinder_common_host_prep_tasks:
     description: Common host prep tasks for cinder-volume and cinder-backup services
     value: &cinder_common_host_prep_tasks
+      - name: create fcontext entry for cinder data
+        sefcontext:
+          target: "/var/lib/cinder(/.*)?"
+          setype: container_file_t
+          state: present
       - name: create persistent directories
         file:
           path: "{{ item.path }}"

deployment/database/mysql-container-puppet.yaml

@@ -261,6 +261,11 @@ outputs:
       deploy_steps_tasks:
         get_attr: [MysqlBase, role_data, deploy_steps_tasks]
       host_prep_tasks:
+        - name: create fcontext entry for mysql data
+          sefcontext:
+            target: "/var/lib/mysql(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/database/redis-container-puppet.yaml

@@ -240,6 +240,11 @@ outputs:
                         - {get_param: RedisCertificateKeySize}
                     ca: ipa
       host_prep_tasks:
+        - name: create fcontext entry for redis data
+          sefcontext:
+            target: "/var/run/redis(/.*)?" # conflicts with equivalency rule '/run /var/run' - have to use /var/run here...
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/ironic/ironic-conductor-container-puppet.yaml

@@ -586,6 +586,11 @@ outputs:
           vars:
             modules:
               - name: iscsi_tcp
+        - name: create fcontext entry for ironic data
+          sefcontext:
+            target: "/var/lib/ironic(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/ironic/ironic-inspector-container-puppet.yaml

@@ -519,6 +519,11 @@ outputs:
             environment:
               KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
       host_prep_tasks:
+        - name: create fcontext entry for ironic-inspector data
+          sefcontext:
+            target: "/var/lib/ironic-inspector/dhcp-hostsdir(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/iscsid/iscsid-container-puppet.yaml

@@ -144,6 +144,15 @@ outputs:
             environment:
               KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
       host_prep_tasks:
+        - name: create fcontext entry for iscsi
+          sefcontext:
+            target: "{{ item.path }}(/.*)?"
+            setype: "{{ item.setype }}"
+            state: present
+          with_items:
+            - { 'path': /etc/iscsi, 'setype': container_file_t }
+            - { 'path': /etc/target, 'setype': container_file_t }
+            - { 'path': /var/lib/iscsi, 'setype': container_file_t }
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/manila/manila-share-container-puppet.yaml

@@ -178,6 +178,11 @@ outputs:
             volumes: {get_attr: [ManilaShareCommon, manila_share_volumes]}
             environment: {get_attr: [ManilaShareCommon, manila_share_environment]}
       host_prep_tasks:
+        - name: create fcontext entry for manila data
+          sefcontext:
+            target: "/var/lib/manila(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/messaging/rpc-qdrouterd-container-puppet.yaml

@@ -140,6 +140,11 @@ outputs:
             environment:
               KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
       host_prep_tasks:
+      - name: create fcontext entry for qdrouterd data
+        sefcontext:
+          target: "/var/lib/qdrouterd(/.*)?"
+          setype: container_file_t
+          state: present
       - name: create persistent logs directory
         file:
           path: "{{ item.path }}"

deployment/qdr/qdrouterd-container-puppet.yaml

@@ -130,6 +130,11 @@ outputs:
             environment:
               KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
       host_prep_tasks:
+      - name: create fcontext entry for qrouterd data
+        sefcontext:
+          target: "/var/lib/qdrouterd(/.*)?"
+          setype: container_file_t
+          state: present
       - name: create persistent directories
         file:
           path: "{{ item.path }}"

deployment/rabbitmq/rabbitmq-container-puppet.yaml

@@ -387,6 +387,11 @@ outputs:
                         - {get_param: RabbitmqCertificateKeySize}
                     ca: ipa
       host_prep_tasks:
+        - name: creat fcontext entry for rabbitmq data
+          sefcontext:
+            target: "/var/lib/rabbitmq(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml

@@ -322,6 +322,11 @@ outputs:
                         - {get_param: RabbitmqMessageCertificateKeySize}
                     ca: ipa
       host_prep_tasks:
+        - name: create fcontext for rabbitmq data
+          sefcontext:
+            target: "/var/lib/rabbitmq(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml

@@ -221,6 +221,11 @@ outputs:
               # update (scale-out, etc.)
               TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
       host_prep_tasks:
+        - name: create fcontext for rabbitmq data
+          sefcontext:
+            target: "/var/lib/rabbitmq(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml

@@ -322,6 +322,11 @@ outputs:
                         - {get_param: RpcCertificateKeySize}
                     ca: ipa
       host_prep_tasks:
+        - name: create fcontext for rabbitmq data
+          sefcontext:
+            target: "/var/lib/rabbitmq(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml

@@ -223,6 +223,11 @@ outputs:
       metadata_settings:
         get_attr: [RabbitmqBase, role_data, metadata_settings]
       host_prep_tasks:
+        - name: create fcontext for rabbitmq data
+          sefcontext:
+            target: "/var/lib/rabbitmq(/.*)?"
+            setype: container_file_t
+            state: present
         - name: create persistent directories
           file:
             path: "{{ item.path }}"

deployment/swift/swift-storage-container-puppet.yaml

@@ -602,6 +602,10 @@ outputs:
               - {}
 
       host_prep_tasks:
+        # NOTE: we can't set fcontext for swift locations since they are
+        # already set in openstack-selinux package. In order to work around
+        # this specific case, the following change is being pushed:
+        # https://github.com/redhat-openstack/openstack-selinux/pull/73
         - name: create persistent directories
           file:
             path: "{{ item.path }}"