ansible: Add SELinux policy for podman socket

When the tasks/job containers access the bind-mounted podman.sock, they currently run into a lot of SELinux denials. This happened to work as we have run SELinux in permissive mode on our bots in the last two weeks (see commit c118069). Create a proper SELinux policy plugin instead, so that we can put it back into enforce mode.
cockpit-project · Mar 13, 2024 · 214be0c · 214be0c
1 parent 956ff20
commit 214be0c
Showing 1 changed file with 23 additions and 4 deletions.
diff --git a/ansible/roles/tasks-systemd/tasks/main.yml b/ansible/roles/tasks-systemd/tasks/main.yml
@@ -5,27 +5,46 @@
     dest: /run/install-service
     mode: preserve
 
-- name: Create custom SELinux rules to fix Chromium
+- name: Create custom SELinux policy file contexts
+  copy:
+    dest: /tmp/cockpituous.fc
+    mode: 0644
+    content: |
+      /var/run/podman/podman.sock    system_u:object_r:container_file_t:s0
+  register: selinux_policy_fc
+
+- name: Create custom SELinux policy type enforcements
   copy:
     dest: /tmp/cockpituous.te
     mode: 0644
     content: |
       module cockpituous 1.0;
       require {
               type container_t;
+              type container_file_t;
+              type container_runtime_t;
+              type init_t;
               class process execheap;
+              class sock_file { create unlink setattr };
+              class unix_stream_socket { connectto };
       }
 
+      # allow systemd to create the socket after changing its type
+      allow init_t container_file_t:sock_file { create unlink setattr };
+
+      # container can access that socket
+      allow container_t container_runtime_t:unix_stream_socket connectto;
+
       # HACK: See https://github.com/cockpit-project/cockpituous/issues/579
       allow container_t self:process execheap;
-  register: selinux_policy
+  register: selinux_policy_te
 
 - name: Install custom SELinux rules
   shell: |
     checkmodule -M -m -o /tmp/cockpituous.mod /tmp/cockpituous.te
-    semodule_package -o /tmp/cockpituous.pp -m /tmp/cockpituous.mod
+    semodule_package -o /tmp/cockpituous.pp -m /tmp/cockpituous.mod -f /tmp/cockpituous.fc
     semodule -i /tmp/cockpituous.pp
-  when: selinux_policy.changed
+  when: selinux_policy_fc.changed or selinux_policy_te.changed
 
 # This only applies to RH VPN; make that optional if we ever deploy to public infrastructure
 - name: Create npm configuration