Add SELinux contexts for cinder log directory

The log directory for cinder has the default_t SELinux context and this prevents rsyslog from accessing cinders's logs. This patch ensures that the file contexts are set properly for cinders's logs. This change also makes cinder's log directory configurable using the `cinder_log_dir` variable. Closes-Bug: 1748969 Change-Id: Idd1abdd5987ef120b23f8eef49b1c5198f40d900
2018-02-14 08:01:18 -06:00 · 2018-02-14 08:01:18 -06:00 · 66319e9008
parent 4f090af7e2
commit 66319e9008
5 changed files with 44 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -18,6 +18,8 @@
 cinder_package_state: "latest"
 cinder_pip_package_state: "latest"

+cinder_log_dir: /var/log/cinder
+
 cinder_git_repo: https://git.openstack.org/openstack/cinder
 cinder_git_install_branch: master
 cinder_developer_mode: false
--- a/tasks/cinder_post_install.yml
+++ b/tasks/cinder_post_install.yml
@ -83,3 +83,8 @@
    mode: "0440"
    owner: "root"
    group: "root"
+
+- include: cinder_selinux.yml
+  when:
+    - ansible_selinux.status is defined
+    - ansible_selinux.status == "enabled"
--- a/tasks/cinder_pre_install.yml
+++ b/tasks/cinder_pre_install.yml
@ -48,9 +48,9 @@

 - name: Test for log directory or link
  shell: |
-    if [ -h "/var/log/cinder"  ]; then
-      chown -h {{ cinder_system_user_name }}:{{ cinder_system_group_name }} "/var/log/cinder"
-      chown -R {{ cinder_system_user_name }}:{{ cinder_system_group_name }} "$(readlink /var/log/cinder)"
+    if [ -h "{{ cinder_log_dir }}"  ]; then
+      chown -h {{ cinder_system_user_name }}:{{ cinder_system_group_name }} "{{ cinder_log_dir }}"
+      chown -R {{ cinder_system_user_name }}:{{ cinder_system_group_name }} "$(readlink {{ cinder_log_dir }})"
    else
      exit 1
    fi
@ -66,5 +66,5 @@
    group: "{{ item.group|default(cinder_system_group_name) }}"
    mode: "{{ item.mode|default('0755') }}"
  with_items:
-    - { path: "/var/log/cinder" }
+    - { path: "{{ cinder_log_dir }}" }
  when: log_dir.rc != 0
--- a/tasks/cinder_selinux.yml
+++ b/tasks/cinder_selinux.yml
@ -0,0 +1,31 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Stat cinder's log directory
+  stat:
+    path: "{{ cinder_log_dir }}"
+  register: cinder_log_dir_check
+
+- name: Set SELinux file contexts for cinder's log directory
+  sefcontext:
+    target: "{{ (cinder_log_dir_check.stat.islnk) | ternary(cinder_log_dir_check.stat.lnk_target, cinder_log_dir) }}(/.*)?"
+    setype: cinder_log_t
+    state: present
+  register: selinux_file_context_log_files
+
+- name: Apply updated SELinux contexts on cinder log directory
+  command: "restorecon -Rv {{ (cinder_log_dir_check.stat.islnk) | ternary(cinder_log_dir_check.stat.lnk_target, cinder_log_dir) }}"
+  when:
+    - selinux_file_context_log_files | changed
--- a/templates/cinder-systemd-init.j2
+++ b/templates/cinder-systemd-init.j2
@ -11,9 +11,9 @@ User={{ cinder_system_user_name }}
 Group={{ cinder_system_group_name }}

 {% if item.program_override is defined %}
-ExecStart={{ item.program_override }} {{ item.program_config_options|default('') }} {{ item.log_string | default('--log-file=') }}/var/log/cinder/{{ item.service_name }}.log
+ExecStart={{ item.program_override }} {{ item.program_config_options|default('') }} {{ item.log_string | default('--log-file=') }}{{ cinder_log_dir }}/{{ item.service_name }}.log
 {% else %}
-ExecStart={{ cinder_bin }}/{{ item.service_name }} {{ item.program_config_options|default('') }} --log-file=/var/log/cinder/{{ item.service_name }}.log
+ExecStart={{ cinder_bin }}/{{ item.service_name }} {{ item.program_config_options|default('') }} --log-file={{ cinder_log_dir }}/{{ item.service_name }}.log
 {% endif %}
 {% if item.service_name != cinder_services['cinder-api']['service_name'] or item.wsgi_app %}
 ExecReload={{ (item.wsgi_app is defined and item.wsgi_app) | ternary(cinder_bin + '/uwsgi --reload /var/run/' + item.service_name + '/' + item.service_name +'.pid','/bin/kill -HUP $MAINPID') }}