Add a custom policy for hackers using ansible-test (#68535)

Signed-off-by: Rick Elrod <rick@elrod.me>

.gitignore

@@ -76,6 +76,8 @@ ansible.egg-info/
 /test/integration/cloud-config-*.*
 !/test/integration/cloud-config-*.*.template
 .python-version
+/hacking/tests/selinux/*.mod
+/hacking/tests/selinux/*.pp
 # Release directory
 packaging/release/ansible_release
 /.cache/

hacking/tests/selinux/README.md

@@ -0,0 +1,22 @@
+# ansible-podman selinux module
+
+On Fedora-derived systems (and possibly others), selinux can prevent podman
+from running the way we need it to for our tests to work.
+
+Loading this module (hopefully) allows you to
+[keep selinux enabled](https://stopdisablingselinux.com/) and still be able to
+run our tests.
+
+To use it, just run:
+
+```
+./build.sh
+```
+
+...which will build the module. Then run:
+
+```
+sudo semodule -i ansible-podman.pp
+```
+
+to insert and enable the module.

hacking/tests/selinux/ansible-podman.te

@@ -0,0 +1,17 @@
+module ansible-podman 1.0;
+
+require {
+        type container_t;
+        type cgroup_t;
+        type fusefs_t;
+        class dir { add_name create remove_name rmdir write };
+        class file { create relabelto write };
+        class bpf map_create;
+}
+
+
+allow container_t cgroup_t:dir { add_name create remove_name rmdir write };
+
+allow container_t cgroup_t:file { create write };
+allow container_t fusefs_t:file relabelto;
+allow container_t self:bpf map_create;

hacking/tests/selinux/build.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -x
+set -e
+checkmodule -Mmo ansible-podman.mod ansible-podman.te
+semodule_package -o ansible-podman.pp -m ansible-podman.mod
+
+set +x
+echo "Module built. Now run this as root:"
+echo "semodule -i $(pwd)/ansible-podman.pp"