Enforce SELinux types on files by distro.
During system setup, setup managed contexts for specific files based on platform (ansible_distribution) name. If no mapping for that platform is available, choose a default item if one is present. Failing both, don't do anything. For now this only includes /usr/local/bin/crio and sets the same type on all platforms. However this is easily expanded by updating the mapping in ``vars.yml`` to include additional files and/or ansible_distribution names (or "default") and types. Signed-off-by: Chris Evich <cevich@redhat.com>
This commit is contained in:
Chris Evich
parent
2338d81b01
commit
c457314b98
3 changed files with 17 additions and 0 deletions
|
|
@ -78,6 +78,7 @@
|
||||||
- "{{ playbook_dir }}/vars.yml"
|
- "{{ playbook_dir }}/vars.yml"
|
||||||
environment: '{{ environment_variables }}'
|
environment: '{{ environment_variables }}'
|
||||||
tasks:
|
tasks:
|
||||||
|
|
||||||
- name: Build and install cri-o
|
- name: Build and install cri-o
|
||||||
include: "build/cri-o.yml"
|
include: "build/cri-o.yml"
|
||||||
tags:
|
tags:
|
||||||
|
|
|
||||||
|
|
@ -32,6 +32,7 @@
|
||||||
- libgpg-error-devel
|
- libgpg-error-devel
|
||||||
- libguestfs-tools
|
- libguestfs-tools
|
||||||
- libseccomp-devel
|
- libseccomp-devel
|
||||||
|
- libselinux-python
|
||||||
- libvirt-client
|
- libvirt-client
|
||||||
- libvirt-python
|
- libvirt-python
|
||||||
- libxml2-devel
|
- libxml2-devel
|
||||||
|
|
@ -47,6 +48,7 @@
|
||||||
- openssl-devel
|
- openssl-devel
|
||||||
- ostree-devel
|
- ostree-devel
|
||||||
- pkgconfig
|
- pkgconfig
|
||||||
|
- policycoreutils-python
|
||||||
- python
|
- python
|
||||||
- python2-boto
|
- python2-boto
|
||||||
- python2-crypto
|
- python2-crypto
|
||||||
|
|
@ -111,3 +113,12 @@
|
||||||
- name: Update the kernel cmdline to include quota support
|
- name: Update the kernel cmdline to include quota support
|
||||||
command: grubby --update-kernel=ALL --args="rootflags=pquota"
|
command: grubby --update-kernel=ALL --args="rootflags=pquota"
|
||||||
when: ansible_distribution in ['RedHat', 'CentOS']
|
when: ansible_distribution in ['RedHat', 'CentOS']
|
||||||
|
|
||||||
|
- name: Enforce specific SELinux types for files on this platform
|
||||||
|
sefcontext:
|
||||||
|
target: '{{ item.key }}'
|
||||||
|
setype: '{{ item.value[ansible_distribution] | default(item.value.default) }}'
|
||||||
|
state: present
|
||||||
|
when: item.value[ansible_distribution] is defined or
|
||||||
|
item.value.default is defined
|
||||||
|
with_dict: '{{ set_setypes | default({}) }}'
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,11 @@ cri_o_src_path: "{{ playbook_dir }}/../../../"
|
||||||
# Absolute path on subjects where cri-o source is expected
|
# Absolute path on subjects where cri-o source is expected
|
||||||
cri_o_dest_path: "{{ go_path }}/src/github.com/kubernetes-incubator/cri-o"
|
cri_o_dest_path: "{{ go_path }}/src/github.com/kubernetes-incubator/cri-o"
|
||||||
|
|
||||||
|
# Mapping of filenames to ansible_distribution (or default), to SELinux types
|
||||||
|
set_setypes:
|
||||||
|
/usr/local/bin/crio:
|
||||||
|
default: 'container_runtime_exec_t'
|
||||||
|
|
||||||
# For results.yml Paths use rsync 'source' conventions
|
# For results.yml Paths use rsync 'source' conventions
|
||||||
artifacts: "/tmp/artifacts" # Base-directory for collection
|
artifacts: "/tmp/artifacts" # Base-directory for collection
|
||||||
crio_integration_filepath: "{{ artifacts }}/testout.txt"
|
crio_integration_filepath: "{{ artifacts }}/testout.txt"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue