initial selinux policy to allow logrotate to rotate mirrorlist container log files

2017-07-02 18:45:49 +00:00 · 2017-07-02 18:45:49 +00:00 · c2b46df877
commit c2b46df877
parent d98be0398a
4 changed files with 33 additions and 0 deletions
--- a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
+++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
--- a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
+++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
--- a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
+++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
@ -0,0 +1,12 @@
+module mirrorlist-logrotate 1.0;
+
+require {
+	type logrotate_t;
+	type svirt_sandbox_file_t;
+	class file { setattr create write };
+	class dir { write add_name remove_name };
+}
+
+#============= logrotate_t ==============
+allow logrotate_t svirt_sandbox_file_t:dir { add_name remove_name write };
+allow logrotate_t svirt_sandbox_file_t:file { setattr create write };
--- a/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
+++ b/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
@ -97,3 +97,24 @@
        cron_file=restart-mirrorlist-containers
  tags:
  - mirrorlist_proxy
+
+# Custom selinux policy to allow logrotate to rotate our mirrorlist logs
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/mirrorlist-logrotate state=directory
+  tags:
+  - selinux
+  - mirrorlist_proxy
+
+- name: copy over our custom selinux module
+  copy: src=selinux/mirrorlist-logrotate.pp dest=/usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
+  register: selinux_module
+  tags:
+  - selinux
+  - mirrorlist_proxy
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
+  when: selinux_module|changed
+  tags:
+  - selinux
+  - mirrorlist_proxy