Make sure selinux permissions are correct on ~/.ssh.

It may happen that if the environment is switched from Not enforcing to enforcing, the permissions of the ~/.ssh directory are selinux wrong making the undercloud unreachable. Added fix from Ib5873383632a1141c8dd3859b34ca29904020790 Change-Id: Ifc76d3717f4f214f9f3d55ccbafdbcc0180c31c1 Closes-Bug: #1711564 (cherry picked from commit 8808f92b6c)
2017-08-18 12:16:32 +02:00 · 2017-08-18 12:16:32 +02:00 · 7d9654c05c
parent 900a198335
commit 7d9654c05c
2 changed files with 39 additions and 0 deletions
--- a/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup
+++ b/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup
@ -25,6 +25,18 @@ fi

 cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

+if [ -e /usr/sbin/getenforce ]; then
+    if [ "$(getenforce)" == "Enforcing" ]; then
+        set +e
+        selinux_wrong_permission="$(find /root/.ssh/ -exec ls -lZ {} \; | grep -v 'ssh_home_t')"
+        set -e
+        if [ -n "${selinux_wrong_permission}" ]; then
+            semanage fcontext -a -t ssh_home_t '/root/.ssh(/.*)?'
+            restorecon -R /root/.ssh/
+        fi
+    fi
+fi
+
 UNDERCLOUD_IP=$(os-apply-config --key local-ip --type netaddress)
 export UNDERCLOUD_IP

--- a/instack_undercloud/undercloud.py
+++ b/instack_undercloud/undercloud.py
@ -1433,6 +1433,32 @@ def _configure_ssh_keys(nova):
            nova.keypairs.create('default', pubkey.read().rstrip())


+def _ensure_ssh_selinux_permission():
+    ssh_path = os.path.expanduser('~/.ssh')
+    try:
+        enforcing = _run_command(['getenforce'])
+        if os.path.isdir(ssh_path):
+            if 'Enforcing' in enforcing:
+                file_perms = _run_command(
+                    ['find', ssh_path, '-exec', 'ls', '-lZ', '{}', ';'])
+                wrong_perm = False
+                for line in file_perms.splitlines():
+                    if 'ssh_home_t' not in line:
+                        wrong_perm = True
+                        break
+                if wrong_perm:
+                    cmd = ['semanage',
+                           'fcontext', '-a', '-t', 'ssh_home_t',
+                           "{}(/.*)?".format(ssh_path)]
+                    _run_command(cmd)
+                    _run_command(['restorecon', '-R', ssh_path])
+    except OSError as e:
+        if e.errno == os.errno.ENOENT:
+            LOG.debug("Not a SeLinux platform")
+        else:
+            raise
+
+
 def _delete_default_flavors(nova):
    """Delete the default flavors from Nova

@ -1766,6 +1792,7 @@ def _post_config(instack_env):
                                  os_ironic_api_version='1.21')

    _configure_ssh_keys(nova)
+    _ensure_ssh_selinux_permission()
    _delete_default_flavors(nova)

    _ensure_node_resource_classes(ironic)