diff --git a/files/osa-neutron.te b/files/osa-neutron.te deleted file mode 100644 index 807530c4..00000000 --- a/files/osa-neutron.te +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2017, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -module osa-neutron 1.0; - -require { - type unconfined_t; - type ifconfig_t; - type neutron_var_lib_t; - type haproxy_exec_t; - type var_run_t; - type iptables_t; - type dnsmasq_t; - type var_log_t; - type http_port_t; - class process setrlimit; - class capability { dac_override net_bind_service setgid setuid }; - class tcp_socket { listen name_bind }; - class file { create execute execute_no_trans getattr open read relabelto setattr unlink write }; - class lnk_file read; - class dir { add_name remove_name write }; -} - -# NOTE(mhayden): This allows dnsmasq, when run under neutron, to write logs -# within /var/log. This policy no longer exists in CentOS 7 since dnsmasq only -# writes to the systemd journal. -#============= dnsmasq_t ============== -allow dnsmasq_t var_log_t:file { open setattr }; -allow dnsmasq_t var_log_t:lnk_file read; - -# NOTE(mhayden): Neutron starts haproxy within a network namespace, so the -# process transitions to the ifconfig_t context after it starts. Normally, -# haproxy should switch to the ifconfig_t context. This should be fixed in -# the future. -#============= ifconfig_t ============== -allow ifconfig_t haproxy_exec_t:file { execute execute_no_trans open read }; -allow ifconfig_t http_port_t:tcp_socket name_bind; -allow ifconfig_t neutron_var_lib_t:dir { add_name remove_name write }; -allow ifconfig_t neutron_var_lib_t:file { create getattr open read unlink write }; -allow ifconfig_t self:capability { dac_override net_bind_service setgid setuid }; -allow ifconfig_t self:process setrlimit; -allow ifconfig_t self:tcp_socket listen; - -# NOTE(mhayden): This allows neutron to use /usr/sbin/xtables-multi to quickly -# manage iptables/ip6tables rules. -#============= iptables_t ============== -allow iptables_t var_run_t:file read; diff --git a/tasks/neutron_install.yml b/tasks/neutron_install.yml index 78e045bf..012f2d9f 100644 --- a/tasks/neutron_install.yml +++ b/tasks/neutron_install.yml @@ -68,10 +68,6 @@ ('need_db_expand' not in ansible_local['openstack_ansible']['neutron']) or ('need_db_contract' not in ansible_local['openstack_ansible']['neutron']) -- include_tasks: neutron_selinux.yml - when: - - ansible_selinux.status == "enabled" - - name: Ensure Open vSwitch service is started and enabled service: name: "{{ neutron_ovs_service_name }}" diff --git a/tasks/neutron_selinux.yml b/tasks/neutron_selinux.yml deleted file mode 100644 index e9a5c3f4..00000000 --- a/tasks/neutron_selinux.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -# Copyright 2017, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Ensure SELinux packages are installed - package: - name: "{{ item }}" - state: present - with_items: - - libselinux - - libselinux-devel - - checkpolicy - - policycoreutils-python - -- name: Create directory for compiling SELinux role - file: - path: "/tmp/osa-neutron-selinux" - state: directory - mode: '0755' - -- name: Deploy SELinux policy source file - copy: - src: "osa-neutron.te" - dest: "/tmp/osa-neutron-selinux/" - owner: root - group: root - mode: "0755" - -# NOTE(mhayden): Linting checks are skipped here because there isn't a -# reliable way to determine if this SELinux module is newer than the one that -# is currently in use on the system. The linter expects there to be a -# "creates" argument below. -- name: Compile and load SELinux module - command: "{{ item }}" - args: - chdir: "/tmp/osa-neutron-selinux/" - with_items: - - checkmodule -M -m -o osa-neutron.mod osa-neutron.te - - semodule_package -o osa-neutron.pp -m osa-neutron.mod - - semodule -i osa-neutron.pp - tags: - - skip_ansible_lint - -- name: Remove temporary directory - file: - path: "/tmp/osa-neutron-selinux/" - state: absent - -- name: Stat neutron's log directory - stat: - path: "{{ neutron_log_dir }}" - register: neutron_log_dir_check - -- name: Set SELinux file contexts for neutron's log directory - sefcontext: - target: "{{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir_check.stat.lnk_target, neutron_log_dir) }}(/.*)?" - setype: neutron_log_t - state: present - register: selinux_file_context_log_files - -- name: Apply updated SELinux contexts on neutron log directory - command: "restorecon -Rv {{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir_check.stat.lnk_target, neutron_log_dir) }}" - when: - - selinux_file_context_log_files is changed