From c457314b980f212b52204e660c0f6f78920bd291 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Fri, 6 Oct 2017 11:14:01 -0400
Subject: [PATCH] Enforce SELinux types on files by distro.

During system setup, setup managed contexts for
specific files based on platform (ansible_distribution) name.
If no mapping for that platform is available, choose a default
item if one is present.  Failing both, don't do anything.

For now this only includes /usr/local/bin/crio and sets the same
type on all platforms.  However this is easily expanded by
updating the mapping in ``vars.yml`` to include additional
files and/or ansible_distribution names (or "default") and types.

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 contrib/test/integration/main.yml   |  1 +
 contrib/test/integration/system.yml | 11 +++++++++++
 contrib/test/integration/vars.yml   |  5 +++++
 3 files changed, 17 insertions(+)

diff --git a/contrib/test/integration/main.yml b/contrib/test/integration/main.yml
index 4f61dcab..b80a76db 100644
--- a/contrib/test/integration/main.yml
+++ b/contrib/test/integration/main.yml
@@ -78,6 +78,7 @@
     - "{{ playbook_dir }}/vars.yml"
   environment: '{{ environment_variables }}'
   tasks:
+
     - name: Build and install cri-o
       include: "build/cri-o.yml"
       tags:
diff --git a/contrib/test/integration/system.yml b/contrib/test/integration/system.yml
index c17e3c6d..ab82c177 100644
--- a/contrib/test/integration/system.yml
+++ b/contrib/test/integration/system.yml
@@ -32,6 +32,7 @@
     - libgpg-error-devel
     - libguestfs-tools
     - libseccomp-devel
+    - libselinux-python
     - libvirt-client
     - libvirt-python
     - libxml2-devel
@@ -47,6 +48,7 @@
     - openssl-devel
     - ostree-devel
     - pkgconfig
+    - policycoreutils-python
     - python
     - python2-boto
     - python2-crypto
@@ -111,3 +113,12 @@
 - name: Update the kernel cmdline to include quota support
   command: grubby --update-kernel=ALL --args="rootflags=pquota"
   when: ansible_distribution in ['RedHat', 'CentOS']
+
+- name: Enforce specific SELinux types for files on this platform
+  sefcontext:
+    target: '{{ item.key }}'
+    setype: '{{ item.value[ansible_distribution] | default(item.value.default) }}'
+    state: present
+  when: item.value[ansible_distribution] is defined or
+        item.value.default is defined
+  with_dict: '{{ set_setypes | default({}) }}'
diff --git a/contrib/test/integration/vars.yml b/contrib/test/integration/vars.yml
index fa8665db..e0cfd993 100644
--- a/contrib/test/integration/vars.yml
+++ b/contrib/test/integration/vars.yml
@@ -21,6 +21,11 @@ cri_o_src_path: "{{ playbook_dir }}/../../../"
 # Absolute path on subjects where cri-o source is expected
 cri_o_dest_path: "{{ go_path }}/src/github.com/kubernetes-incubator/cri-o"
 
+# Mapping of filenames to ansible_distribution (or default), to SELinux types
+set_setypes:
+    /usr/local/bin/crio:
+        default: 'container_runtime_exec_t'
+
 # For results.yml Paths use rsync 'source' conventions
 artifacts: "/tmp/artifacts"  # Base-directory for collection
 crio_integration_filepath: "{{ artifacts }}/testout.txt"