From d82d6ec357a05f533040460bd2befb4588624a2c Mon Sep 17 00:00:00 2001 From: aleskandro Date: Thu, 18 Jul 2024 22:37:58 +0100 Subject: [PATCH] Adds SELinux custom module for the afterburn systemd units the afterburn systemd units fail as the SELinux domain of the afterburn binary is restricted from changing the content of files in /run, /run/metadata and /home/$user/.ssh. This commit adds a afterburn-custom.cil SELinux module to allow the afterburn services to succeed and the nodes to properly join a cluster. The module is loaded by the okd-selinux.service implemented by 336013fcc9406063eeaf0aa4c7cffda310a2a449 Refers #1555 --- overlay.d/50scos/usr/lib/okd/selinux/afterburn.cil | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 overlay.d/50scos/usr/lib/okd/selinux/afterburn.cil diff --git a/overlay.d/50scos/usr/lib/okd/selinux/afterburn.cil b/overlay.d/50scos/usr/lib/okd/selinux/afterburn.cil new file mode 100644 index 00000000..1a32d159 --- /dev/null +++ b/overlay.d/50scos/usr/lib/okd/selinux/afterburn.cil @@ -0,0 +1,8 @@ +; https://issues.redhat.com/browse/RHEL-49735 +(typeattributeset cil_gen_require var_run_t) +(typeattributeset cil_gen_require afterburn_t) +(typeattributeset cil_gen_require ssh_home_t) +(allow afterburn_t ssh_home_t (dir (read search))) +(allow afterburn_t ssh_home_t (dir (open))) +(allow afterburn_t var_run_t (dir (add_name create write))) +(allow afterburn_t var_run_t (file (create open write)))