initial selinux policy to allow logrotate to rotate mirrorlist container log files

2017-07-02 18:45:49 +00:00 · 2017-07-02 18:45:49 +00:00 · c2b46df877
commit c2b46df877
parent d98be0398a
4 changed files with 33 additions and 0 deletions
--- a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
+++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.mod
--- a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
+++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.pp
--- a/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
+++ b/roles/mirrormanager/mirrorlist_proxy/files/selinux/mirrorlist-logrotate.te
@ -0,0 +1,12 @@
 module mirrorlist-logrotate 1.0;
 require {
 	type logrotate_t;
 	type svirt_sandbox_file_t;
 	class file { setattr create write };
 	class dir { write add_name remove_name };
 }
 #============= logrotate_t ==============
 allow logrotate_t svirt_sandbox_file_t:dir { add_name remove_name write };
 allow logrotate_t svirt_sandbox_file_t:file { setattr create write };
--- a/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
+++ b/roles/mirrormanager/mirrorlist_proxy/tasks/main.yml
@ -97,3 +97,24 @@
        cron_file=restart-mirrorlist-containers
  tags:
  - mirrorlist_proxy
 # Custom selinux policy to allow logrotate to rotate our mirrorlist logs
 - name: ensure a directory exists for our custom selinux module
  file: dest=/usr/local/share/mirrorlist-logrotate state=directory
  tags:
  - selinux
  - mirrorlist_proxy
 - name: copy over our custom selinux module
  copy: src=selinux/mirrorlist-logrotate.pp dest=/usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
  register: selinux_module
  tags:
  - selinux
  - mirrorlist_proxy
 - name: install our custom selinux module
  command: semodule -i /usr/local/share/mirrorlist-logrotate/mirrorlist-logrotate.pp
  when: selinux_module|changed
  tags:
  - selinux
  - mirrorlist_proxy