SELinux: allow keepalived to cat haproxy pid #47
Conversation
On CentOS 7, an SELinux denial occurs when keepalived tries to read haproxy's PID file. This patch adds SELinux policy to allow this activity and breaks the SELinux compilation part of the role into a reusable set of tasks.
|
I will spin up my centos tests today. |
|
My tests don't do integration tests of keepalived + haproxy, merely keepalived. |
| @@ -0,0 +1,23 @@ | |||
| # Copyright 2017, Rackspace US, Inc. | |||
There was a problem hiding this comment.
I don't think this should be shipped into keepalived.
It's a good example so we could keep it, but I think it should live in OSA
tasks/keepalived_selinux.yml
Outdated
| args: | ||
| creates: /etc/selinux/targeted/active/modules/400/keepalived_ping/cil | ||
| chdir: /tmp/ansible-keepalived-selinux | ||
| - include: keepalived_selinux_compile.yml |
There was a problem hiding this comment.
I'm fine with keeping this feature, this way this keepalived role stays an "all bolts included" keepalived deployment tool.
However, we should avoid feature bloat, and stick only to bare minimum.... (see next comment)
tasks/keepalived_selinux.yml
Outdated
| state: absent | ||
| when: | ||
| - '"keepalived_ping" not in selinux_modules.stdout' | ||
| - "keepalived_haproxy_pid_file" |
There was a problem hiding this comment.
Therefore, I think these items should be coming from a variable, named keepalived_selinux_policy_files, with a default value of either [] or [ 'keepalived_ping'].
I can't adapt your PR, so could you please update it?
This variable could then be updated in OSA (with a group var for example), to compile the files.
OSA can provide additional files, like the haproxy pid one.
|
The code passed my tests, but I'd rather see some of these features be optional, by either using a role as dependency, or making these SELinux bits running optionally depending on a var (see review above) |
Keepalived role doesn't need HAProxy pid SELinux permissions. Therefore the keepalived_haproxy_pid_file was removed from the list of rules to compile. However, flexibility could be advisable, and the list of rules to compile should not be static, but instead be an overridable list. By default, the list will compile the ping rule, as it was done before, for retro-compatibility. But a deployer can now provide path to files to compile.
On CentOS 7, an SELinux denial occurs when keepalived tries to read
haproxy's PID file. This patch adds SELinux policy to allow this
activity and breaks the SELinux compilation part of the role into
a reusable set of tasks.