openstack/bifrost
Code Issues Proposed changes

selinux: allow nginx to read symbolic links

Browse Source 
This is required to support netboot (which is off by default, but
is useful together with the netboot fallback).

Change-Id: I4d7640a24fac9fca2c24bc06fcedff400d74ed8d
This commit is contained in:
Dmitry Tantsur 2020-07-16 17:58:30 +02:00
parent 6610cf4ee1
commit 8210ff3696
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
playbooks/roles/bifrost-ironic-install/files/ironic_policy.te
View File

@ -7,13 +7,15 @@ require {
class file open; class file open;
class file read; class file read;
class file getattr; class file getattr;
class lnk_file read;
} }
#============= httpd_t ============== #============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'daemons_dump_core'
allow httpd_t root_t:file open; allow httpd_t root_t:file open;
allow httpd_t default_t:file open; allow httpd_t default_t:file open;
allow httpd_t root_t:file { read getattr }; allow httpd_t root_t:file { read getattr };
allow httpd_t default_t:file { read getattr }; allow httpd_t default_t:file { read getattr };
allow httpd_t root_t:lnk_file read;
allow httpd_t default_t:lnk_file read;

5
releasenotes/notes/selinux-lnk_file-527ac51c60f9c2ad.yaml Normal file
View File

@ -0,0 +1,5 @@
---
fixes:
- |
On systems with SELinux enforcing, enables nginx to read symbolic links.
Fixes network boot of instances.