Drop SELinux support for CentOS 7

We do not have a maintainer at the moment for SELinux and hopefully
we will adopt the upstream openstack-selinux package, but for now
in order to let deploys in environments where SELinux is set to
permissive work, we'll have to remove these bits.

This change can be reverted whenever we have a maintainer that's
available to do the work required.

Change-Id: I61141da3a391a99cb111733eae22cc7c54ce48c6
This commit is contained in:
Guilherme Steinmüller 2018-09-20 18:52:41 +00:00
parent 95f6853f76
commit a6dba10bb1
5 changed files with 0 additions and 105 deletions

View File

@ -1,24 +0,0 @@
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module lxc-attach 1.0;
require {
type unconfined_service_t;
type var_lib_t;
class file entrypoint;
}
#============= unconfined_service_t ==============
allow unconfined_service_t var_lib_t:file entrypoint;

View File

@ -125,7 +125,3 @@
# Ensure apparmor reindex runs before other things that may fail
- meta: flush_handlers
- include_tasks: lxc_selinux.yml
when:
- ansible_selinux.status == "enabled"

View File

@ -1,64 +0,0 @@
---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create directory for compiling SELinux policy
file:
path: "/tmp/lxc-attach-selinux/"
state: 'directory'
mode: '0755'
- name: Deploy SELinux type enforcement file
copy:
src: "lxc-attach.te"
dest: "/tmp/lxc-attach-selinux/lxc-attach.te"
owner: "root"
group: "root"
mode: "0755"
- name: Compile and load SELinux module
shell: 'make -f /usr/share/selinux/devel/Makefile && semodule -i /tmp/lxc-attach-selinux/lxc-attach.pp'
args:
creates: '/etc/selinux/targeted/active/modules/400/lxc-attach/cil'
chdir: "/tmp/lxc-attach-selinux/"
register: compile_selinux_async
async: 90
poll: 0
- name: Check if /openstack/log exists
stat:
path: /openstack/log
register: openstack_log_dir
- name: Check for SELinux equivalence for /openstack/log
shell: "semanage fcontext -l /openstack/log | grep ^/openstack/log || true"
register: fcontext_check
tags:
- skip_ansible_lint
- name: Create SELinux fcontext equivalence for OpenStack container logs
command: semanage fcontext --add --equal /var/log /openstack/log
failed_when: selinux_equivalence.rc not in [0,1]
changed_when: selinux_equivalence.rc == 0
register: selinux_equivalence
when:
- openstack_log_dir.stat.exists
- '"/openstack/log" not in fcontext_check.stdout'
- name: Apply updated SELinux contexts on /openstack/log
command: restorecon -R /openstack/log
when:
- openstack_log_dir.stat.exists
- '"/openstack/log" not in fcontext_check.stdout'
- selinux_equivalence is changed

View File

@ -87,16 +87,6 @@
- name: Flush handlers
meta: flush_handlers
- name: Ensure SELinux module compile has finished
async_status:
jid: "{{ compile_selinux_async.ansible_job_id }}"
register: _compile_selinux_async
until: _compile_selinux_async.finished
retries: 30
when:
- compile_selinux_async is defined
- not compile_selinux_async | skipped
- name: (RE)Gather facts post setup
setup:
gather_subset: "network,hardware,virtual"

View File

@ -25,15 +25,12 @@ _lxc_hosts_distro_packages:
- dnsmasq
- git
- libseccomp
- libselinux
- libselinux-devel
- lxc
- lxc-devel
- lxc-libs
- lxc-templates
- policycoreutils-python
- python2-lxc
- selinux-policy-devel
- unzip
- xz