From e3fd08fa00d8b85d340e6925dce324723dc83da8 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Fri, 6 Nov 2020 16:23:01 +0100 Subject: [PATCH] Ensure the correct SELinux context for /httpboot and /tftpboot The sefcontext module does not modify existing files, so we need to run restorecon. This, in turn, makes the custom ironic policy unnecessary. Also fixes the ownership of the checksums file. Change-Id: Ie97d0af286e11bfd0459a1dca0171eff5afa77bc --- .../files/ironic_policy.te | 21 ------- .../tasks/bootstrap.yml | 55 ++++++++++--------- .../notes/secontext-1f5ac63dbd0762d2.yaml | 8 +++ 3 files changed, 36 insertions(+), 48 deletions(-) delete mode 100644 playbooks/roles/bifrost-ironic-install/files/ironic_policy.te create mode 100644 releasenotes/notes/secontext-1f5ac63dbd0762d2.yaml diff --git a/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te b/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te deleted file mode 100644 index b58082dde..000000000 --- a/playbooks/roles/bifrost-ironic-install/files/ironic_policy.te +++ /dev/null @@ -1,21 +0,0 @@ -module ironic_policy 1.0; - -require { - type httpd_t; - type root_t; - type default_t; - class file open; - class file read; - class file getattr; - class lnk_file read; -} - - -#============= httpd_t ============== - -allow httpd_t root_t:file open; -allow httpd_t default_t:file open; -allow httpd_t root_t:file { read getattr }; -allow httpd_t default_t:file { read getattr }; -allow httpd_t root_t:lnk_file read; -allow httpd_t default_t:lnk_file read; diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index d1729cc9d..764dff08e 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -323,19 +323,27 @@ when: - not create_ipa_image | bool - download_ipa | bool -- name: "Download cirros to use for deployment if requested" - get_url: - url: "{{ cirros_deploy_image_upstream_url }}" - dest: "{{ deploy_image }}" - owner: ironic - group: ironic - mode: 0644 - when: use_cirros | bool -- name: "Create a checksum file for cirros" - shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS - args: - chdir: "{{ http_boot_folder }}" + +- block: + - name: "Download cirros to use for deployment if requested" + get_url: + url: "{{ cirros_deploy_image_upstream_url }}" + dest: "{{ deploy_image }}" + owner: ironic + group: ironic + mode: 0644 + - name: "Create a checksum file for cirros" + shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS + args: + chdir: "{{ http_boot_folder }}" + - name: "Ensure the checksum file is readable" + file: + path: "{{ http_boot_folder }}/{{ deploy_image_filename }}.CHECKSUMS" + owner: ironic + group: ironic + mode: 0644 when: use_cirros | bool + - name: > "Explicitly permit nginx port (TCP) for file downloads from nodes to be provisioned and TCP/6385 for IPA callback" @@ -401,22 +409,15 @@ setype: httpd_sys_content_t state: present - - name: Copy ironic policy file to temporary directory - copy: - src: ironic_policy.te - dest: /tmp/ironic_policy.te + - name: Disable the old ironic policy if it was enabled + command: semodule -d ironic_policy + ignore_errors: true - - name: Check ironic policy module - command: checkmodule -M -m -o /tmp/ironic_policy.mod /tmp/ironic_policy.te - - - name: Package ironic policy module - command: semodule_package -m /tmp/ironic_policy.mod -o /tmp/ironic_policy.pp - - - name: Include ironic policy module - command: semodule -i /tmp/ironic_policy.pp - - - name: Enable ironic policy module - command: semodule -e ironic_policy + - name: Apply the correct SELinux context to the directories + command: restorecon -iRv {{ item }} + loop: + - "{{ http_boot_folder }}" + - /tftpboot when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing" - name: "Configure remote logging" diff --git a/releasenotes/notes/secontext-1f5ac63dbd0762d2.yaml b/releasenotes/notes/secontext-1f5ac63dbd0762d2.yaml new file mode 100644 index 000000000..f71fec7fb --- /dev/null +++ b/releasenotes/notes/secontext-1f5ac63dbd0762d2.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixes SELinux context not being applied to /httpboot and /tftpboot. + This renders the ``ironic_policy`` module unnecessary, and it has been + removed. + - | + Ensures that the checksums file has the correct ownership.