Add selinux configuration for OVB jobs

Add template with selinux config and disable it for CentOS in CI.
Co-Author: Ronelle Landy <rlandy@redhat.com>
Closes-Bug: #1821744
Change-Id: I9b1143152e4e120c1c1aff8f4a7882a4799eb776

roles/overcloud-deploy/defaults/main.yml

@@ -104,6 +104,7 @@ multinode_args: ""
 ovn_args: ""
 telemetry_args: ""
 config_download_args: ""
+selinux_args: ""
 
 deploy_args: >-
   {{ libvirt_args }}
@@ -130,6 +131,7 @@ deploy_args: >-
   {{ composable_args }}
   {{ topology }}
   {{ config_download_args }}
+  {{ selinux_args }}
   {{ extra_args }}
 
 composable_roles: false
@@ -174,3 +176,10 @@ resource_registry_args:
 # Used to deploy podman on the undercloud instead of docker
 # TODO(emilien) in Stein, we'll switch the default to podman
 overcloud_container_cli: docker
+# We disable selinux when running under CentOS. It's enabled for RHEL
+overcloud_selinux_enabled: >-
+   {% if ansible_distribution == 'CentOS' -%}
+   permissive
+   {%- else -%}
+   enforcing
+   {%- endif -%}

roles/overcloud-deploy/tasks/create-scripts.yml

@@ -73,3 +73,8 @@
   template:
     src: "ansible.cfg.j2"
     dest: "{{ working_dir }}/custom_ansible.cfg"
+
+- name: Create selinux configuration for overcloud
+  template:
+    src: "overcloud-selinux-config.yaml.j2"
+    dest: "{{ working_dir }}/overcloud-selinux-config.yaml"

roles/overcloud-deploy/tasks/pre-deploy.yml

@@ -277,3 +277,8 @@
   when:
     - ci_job_end_time is defined
     - '"ovb" not in lookup("env", "TOCI_JOBTYPE")'
+
+- name: Set the selinux args
+  set_fact:
+    selinux_args: >-
+      -e {{ working_dir }}/overcloud-selinux-config.yaml

roles/overcloud-deploy/templates/overcloud-selinux-config.yaml.j2

@@ -0,0 +1,2 @@
+parameter_defaults:
+  SELinuxMode: '{{ overcloud_selinux_enabled }}'