diff --git a/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te b/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te deleted file mode 100644 index b58082dde..000000000 --- a/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te +++ /dev/null @@ -1,21 +0,0 @@ -module ironic_policy 1.0; - -require { - type httpd_t; - type root_t; - type default_t; - class file open; - class file read; - class file getattr; - class lnk_file read; -} - - -#============= httpd_t ============== - -allow httpd_t root_t:file open; -allow httpd_t default_t:file open; -allow httpd_t root_t:file { read getattr }; -allow httpd_t default_t:file { read getattr }; -allow httpd_t root_t:lnk_file read; -allow httpd_t default_t:lnk_file read; diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index d1729cc9d..764dff08e 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -323,19 +323,27 @@ when: - not create_ipa_image | bool - download_ipa | bool -- name: "Download cirros to use for deployment if requested" - get_url: - url: "{{ cirros_deploy_image_upstream_url }}" - dest: "{{ deploy_image }}" - owner: ironic - group: ironic - mode: 0644 - when: use_cirros | bool -- name: "Create a checksum file for cirros" - shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS - args: - chdir: "{{ http_boot_folder }}" + +- block: + - name: "Download cirros to use for deployment if requested" + get_url: + url: "{{ cirros_deploy_image_upstream_url }}" + dest: "{{ deploy_image }}" + owner: ironic + group: ironic + mode: 0644 + - name: "Create a checksum file for cirros" + shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS + args: + chdir: "{{ http_boot_folder }}" + - name: "Ensure the checksum file is readable" + file: + path: "{{ http_boot_folder }}/{{ deploy_image_filename }}.CHECKSUMS" + owner: ironic + group: ironic + mode: 0644 when: use_cirros | bool + - name: > "Explicitly permit nginx port (TCP) for file downloads from nodes to be provisioned and TCP/6385 for IPA callback" @@ -401,22 +409,15 @@ setype: httpd_sys_content_t state: present - - name: Copy ironic policy file to temporary directory - copy: - src: ironic_policy.te - dest: /tmp/ironic_policy.te + - name: Disable the old ironic policy if it was enabled + command: semodule -d ironic_policy + ignore_errors: true - - name: Check ironic policy module - command: checkmodule -M -m -o /tmp/ironic_policy.mod /tmp/ironic_policy.te - - - name: Package ironic policy module - command: semodule_package -m /tmp/ironic_policy.mod -o /tmp/ironic_policy.pp - - - name: Include ironic policy module - command: semodule -i /tmp/ironic_policy.pp - - - name: Enable ironic policy module - command: semodule -e ironic_policy + - name: Apply the correct SELinux context to the directories + command: restorecon -iRv {{ item }} + loop: + - "{{ http_boot_folder }}" + - /tftpboot when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing" - name: "Configure remote logging" diff --git a/releasenotes/notes/secontext-1f5ac63dbd0762d2.yaml b/releasenotes/notes/secontext-1f5ac63dbd0762d2.yaml new file mode 100644 index 000000000..f71fec7fb --- /dev/null +++ b/releasenotes/notes/secontext-1f5ac63dbd0762d2.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes SELinux context not being applied to /httpboot and /tftpboot. + This renders the ``ironic_policy`` module unnecessary, and it has been + removed. + - | + Ensures that the checksums file has the correct ownership.