Ensure the correct SELinux context for /httpboot and /tftpboot

The sefcontext module does not modify existing files, so we need
to run restorecon. This, in turn, makes the custom ironic policy
unnecessary.

Also fixes the ownership of the checksums file.

Change-Id: Ie97d0af286e11bfd0459a1dca0171eff5afa77bc
This commit is contained in:
Dmitry Tantsur 2020-11-06 16:23:01 +01:00
parent a03335c41b
commit e3fd08fa00
3 changed files with 36 additions and 48 deletions

View File

@ -1,21 +0,0 @@
module ironic_policy 1.0;
require {
type httpd_t;
type root_t;
type default_t;
class file open;
class file read;
class file getattr;
class lnk_file read;
}
#============= httpd_t ==============
allow httpd_t root_t:file open;
allow httpd_t default_t:file open;
allow httpd_t root_t:file { read getattr };
allow httpd_t default_t:file { read getattr };
allow httpd_t root_t:lnk_file read;
allow httpd_t default_t:lnk_file read;

View File

@ -323,19 +323,27 @@
when: when:
- not create_ipa_image | bool - not create_ipa_image | bool
- download_ipa | bool - download_ipa | bool
- name: "Download cirros to use for deployment if requested"
- block:
- name: "Download cirros to use for deployment if requested"
get_url: get_url:
url: "{{ cirros_deploy_image_upstream_url }}" url: "{{ cirros_deploy_image_upstream_url }}"
dest: "{{ deploy_image }}" dest: "{{ deploy_image }}"
owner: ironic owner: ironic
group: ironic group: ironic
mode: 0644 mode: 0644
when: use_cirros | bool - name: "Create a checksum file for cirros"
- name: "Create a checksum file for cirros"
shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS
args: args:
chdir: "{{ http_boot_folder }}" chdir: "{{ http_boot_folder }}"
- name: "Ensure the checksum file is readable"
file:
path: "{{ http_boot_folder }}/{{ deploy_image_filename }}.CHECKSUMS"
owner: ironic
group: ironic
mode: 0644
when: use_cirros | bool when: use_cirros | bool
- name: > - name: >
"Explicitly permit nginx port (TCP) for file downloads from nodes to be provisioned "Explicitly permit nginx port (TCP) for file downloads from nodes to be provisioned
and TCP/6385 for IPA callback" and TCP/6385 for IPA callback"
@ -401,22 +409,15 @@
setype: httpd_sys_content_t setype: httpd_sys_content_t
state: present state: present
- name: Copy ironic policy file to temporary directory - name: Disable the old ironic policy if it was enabled
copy: command: semodule -d ironic_policy
src: ironic_policy.te ignore_errors: true
dest: /tmp/ironic_policy.te
- name: Check ironic policy module - name: Apply the correct SELinux context to the directories
command: checkmodule -M -m -o /tmp/ironic_policy.mod /tmp/ironic_policy.te command: restorecon -iRv {{ item }}
loop:
- name: Package ironic policy module - "{{ http_boot_folder }}"
command: semodule_package -m /tmp/ironic_policy.mod -o /tmp/ironic_policy.pp - /tftpboot
- name: Include ironic policy module
command: semodule -i /tmp/ironic_policy.pp
- name: Enable ironic policy module
command: semodule -e ironic_policy
when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and
ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing" ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing"
- name: "Configure remote logging" - name: "Configure remote logging"

View File

@ -0,0 +1,8 @@
---
fixes:
- |
Fixes SELinux context not being applied to /httpboot and /tftpboot.
This renders the ``ironic_policy`` module unnecessary, and it has been
removed.
- |
Ensures that the checksums file has the correct ownership.