From 9c34f928e6e2f47a1540cab4729504f50b1960f9 Mon Sep 17 00:00:00 2001 From: Mathieu Velten Date: Thu, 1 Dec 2016 10:43:05 +0100 Subject: [PATCH] Add a SELinux policy to relabel files in /usr/local/bin as bin_t There is a default policy for that in Fedora, however it doesn't work in Atomic since /usr/local is a symlink to /var/usrlocal Closes-Bug: 1646421 Change-Id: I4c5b836f4f76ff93a2c55f85ff6ff0cbe990bcff --- .../templates/swarm/fragments/configure-selinux.sh | 12 ++++++++++++ .../templates/swarm/fragments/disable-selinux.sh | 4 ---- .../templates/swarmmaster.yaml | 6 +++--- .../swarm_fedora_atomic_v1/templates/swarmnode.yaml | 6 +++--- 4 files changed, 18 insertions(+), 10 deletions(-) create mode 100644 magnum/drivers/common/templates/swarm/fragments/configure-selinux.sh delete mode 100644 magnum/drivers/common/templates/swarm/fragments/disable-selinux.sh diff --git a/magnum/drivers/common/templates/swarm/fragments/configure-selinux.sh b/magnum/drivers/common/templates/swarm/fragments/configure-selinux.sh new file mode 100644 index 0000000000..1d3c0205b7 --- /dev/null +++ b/magnum/drivers/common/templates/swarm/fragments/configure-selinux.sh @@ -0,0 +1,12 @@ +#cloud-boothook +#!/bin/sh + +# files in /usr/local/bin should be labeled bin_t +# however on Atomic /usr/local is a symlink to /var/usrlocal +# so the default Fedora policy doesn't work +echo '/var/usrlocal/(.*/)?bin(/.*)? system_u:object_r:bin_t:s0' > /etc/selinux/targeted/contexts/files/file_contexts.local +restorecon -R /usr/local/bin + +# disable selinux until cloud-init is over +# enabled again in enable-services.sh +setenforce 0 diff --git a/magnum/drivers/common/templates/swarm/fragments/disable-selinux.sh b/magnum/drivers/common/templates/swarm/fragments/disable-selinux.sh deleted file mode 100644 index 49e9dc79a8..0000000000 --- a/magnum/drivers/common/templates/swarm/fragments/disable-selinux.sh +++ /dev/null @@ -1,4 +0,0 @@ -#cloud-boothook -#!/bin/sh - -setenforce 0 diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml index 2422acfd67..da95c53532 100644 --- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmmaster.yaml @@ -341,11 +341,11 @@ resources: group: ungrouped config: {get_file: ../../common/templates/swarm/fragments/cfn-signal.sh} - disable_selinux: + configure_selinux: type: "OS::Heat::SoftwareConfig" properties: group: ungrouped - config: {get_file: ../../common/templates/swarm/fragments/disable-selinux.sh} + config: {get_file: ../../common/templates/swarm/fragments/configure-selinux.sh} add_proxy: type: "OS::Heat::SoftwareConfig" @@ -363,7 +363,7 @@ resources: type: "OS::Heat::MultipartMime" properties: parts: - - config: {get_resource: disable_selinux} + - config: {get_resource: configure_selinux} - config: {get_resource: remove_docker_key} - config: {get_resource: write_heat_params} - config: {get_resource: make_cert} diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml index 5b1f345102..50762c9a7e 100644 --- a/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml +++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/swarmnode.yaml @@ -304,11 +304,11 @@ resources: group: ungrouped config: {get_file: ../../common/templates/swarm/fragments/cfn-signal.sh} - disable_selinux: + configure_selinux: type: "OS::Heat::SoftwareConfig" properties: group: ungrouped - config: {get_file: ../../common/templates/swarm/fragments/disable-selinux.sh} + config: {get_file: ../../common/templates/swarm/fragments/configure-selinux.sh} add_proxy: type: "OS::Heat::SoftwareConfig" @@ -326,7 +326,7 @@ resources: type: "OS::Heat::MultipartMime" properties: parts: - - config: {get_resource: disable_selinux} + - config: {get_resource: configure_selinux} - config: {get_resource: remove_docker_key} - config: {get_resource: write_heat_params} - config: {get_resource: make_cert}