Enforce SELinux types on files by distro.

During system setup, setup managed contexts for specific files based on platform (ansible_distribution) name. If no mapping for that platform is available, choose a default item if one is present. Failing both, don't do anything. For now this only includes /usr/local/bin/crio and sets the same type on all platforms. However this is easily expanded by updating the mapping in ``vars.yml`` to include additional files and/or ansible_distribution names (or "default") and types. Signed-off-by: Chris Evich <cevich@redhat.com>
2017-10-06 11:14:01 -04:00 · 2017-10-06 11:14:01 -04:00 · c457314b98
commit c457314b98
parent 2338d81b01
3 changed files with 17 additions and 0 deletions
--- a/contrib/test/integration/main.yml
+++ b/contrib/test/integration/main.yml
@ -78,6 +78,7 @@
    - "{{ playbook_dir }}/vars.yml"
  environment: '{{ environment_variables }}'
  tasks:
+
    - name: Build and install cri-o
      include: "build/cri-o.yml"
      tags:
--- a/contrib/test/integration/system.yml
+++ b/contrib/test/integration/system.yml
@ -32,6 +32,7 @@
    - libgpg-error-devel
    - libguestfs-tools
    - libseccomp-devel
+    - libselinux-python
    - libvirt-client
    - libvirt-python
    - libxml2-devel
@ -47,6 +48,7 @@
    - openssl-devel
    - ostree-devel
    - pkgconfig
+    - policycoreutils-python
    - python
    - python2-boto
    - python2-crypto
@ -111,3 +113,12 @@
 - name: Update the kernel cmdline to include quota support
  command: grubby --update-kernel=ALL --args="rootflags=pquota"
  when: ansible_distribution in ['RedHat', 'CentOS']
+
+- name: Enforce specific SELinux types for files on this platform
+  sefcontext:
+    target: '{{ item.key }}'
+    setype: '{{ item.value[ansible_distribution] | default(item.value.default) }}'
+    state: present
+  when: item.value[ansible_distribution] is defined or
+        item.value.default is defined
+  with_dict: '{{ set_setypes | default({}) }}'
--- a/contrib/test/integration/vars.yml
+++ b/contrib/test/integration/vars.yml
@ -21,6 +21,11 @@ cri_o_src_path: "{{ playbook_dir }}/../../../"
 # Absolute path on subjects where cri-o source is expected
 cri_o_dest_path: "{{ go_path }}/src/github.com/kubernetes-incubator/cri-o"

+# Mapping of filenames to ansible_distribution (or default), to SELinux types
+set_setypes:
+    /usr/local/bin/crio:
+        default: 'container_runtime_exec_t'
+
 # For results.yml Paths use rsync 'source' conventions
 artifacts: "/tmp/artifacts"  # Base-directory for collection
 crio_integration_filepath: "{{ artifacts }}/testout.txt"