Adds SELinux custom module for the afterburn systemd units

the afterburn systemd units fail as the SELinux domain of the afterburn binary is restricted from changing the content of files in /run, /run/metadata and /home/$user/.ssh. This commit adds a afterburn-custom.cil SELinux module to allow the afterburn services to succeed and the nodes to properly join a cluster. The module is loaded by the okd-selinux.service implemented by 336013f Refers openshift#1555
aleskandro · Aug 6, 2024 · b19d7f6 · b19d7f6
1 parent 0ef712a
commit b19d7f6
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 0 deletions.
diff --git a/manifest-okd-c9s.yaml b/manifest-okd-c9s.yaml
@@ -88,6 +88,11 @@ postprocess:
      rm -f /etc/issue /etc/issue.net
      ln -s /usr/lib/issue /etc/issue
      ln -s /usr/lib/issue /etc/issue.net
+  - |
+    #!/usr/bin/env bash
+    set -xeo pipefail
+    # Apply custom SELinux policies as stored in /usr/lib/okd/selinux from the overlay.d/50scos directory
+    /usr/bin/find /usr/lib/okd/selinux -type f -name '*.cil' -exec /usr/sbin/semodule -i {} \;
 
 packages:
  # RPM GPG keys for CentOS SIG repos

diff --git a/overlay.d/50scos/usr/lib/okd/selinux/.keep b/overlay.d/50scos/usr/lib/okd/selinux/.keep
diff --git a/overlay.d/50scos/usr/lib/okd/selinux/afterburn-permissive.cil b/overlay.d/50scos/usr/lib/okd/selinux/afterburn-permissive.cil
@@ -0,0 +1,3 @@
+; https://issues.redhat.com/browse/RHEL-49735
+(typeattributeset cil_gen_require afterburn_t)
+(typepermissive afterburn_t)
diff --git a/overrides-c9s.yaml b/overrides-c9s.yaml
@@ -8,3 +8,6 @@
 #  - c9s-appstream-mirror
 
 #packages:
+
+ostree-layers:
+  - overlay/50scos