diff --git a/.gitignore b/.gitignore index 4b7a195dee3..c9a324dda97 100644 --- a/.gitignore +++ b/.gitignore @@ -76,6 +76,8 @@ ansible.egg-info/ /test/integration/cloud-config-*.* !/test/integration/cloud-config-*.*.template .python-version +/hacking/tests/selinux/*.mod +/hacking/tests/selinux/*.pp # Release directory packaging/release/ansible_release /.cache/ diff --git a/hacking/tests/selinux/README.md b/hacking/tests/selinux/README.md new file mode 100644 index 00000000000..95c2b9e89e6 --- /dev/null +++ b/hacking/tests/selinux/README.md @@ -0,0 +1,22 @@ +# ansible-podman selinux module + +On Fedora-derived systems (and possibly others), selinux can prevent podman +from running the way we need it to for our tests to work. + +Loading this module (hopefully) allows you to +[keep selinux enabled](https://stopdisablingselinux.com/) and still be able to +run our tests. + +To use it, just run: + +``` +./build.sh +``` + +...which will build the module. Then run: + +``` +sudo semodule -i ansible-podman.pp +``` + +to insert and enable the module. diff --git a/hacking/tests/selinux/ansible-podman.te b/hacking/tests/selinux/ansible-podman.te new file mode 100644 index 00000000000..f2a786c1849 --- /dev/null +++ b/hacking/tests/selinux/ansible-podman.te @@ -0,0 +1,17 @@ +module ansible-podman 1.0; + +require { + type container_t; + type cgroup_t; + type fusefs_t; + class dir { add_name create remove_name rmdir write }; + class file { create relabelto write }; + class bpf map_create; +} + + +allow container_t cgroup_t:dir { add_name create remove_name rmdir write }; + +allow container_t cgroup_t:file { create write }; +allow container_t fusefs_t:file relabelto; +allow container_t self:bpf map_create; diff --git a/hacking/tests/selinux/build.sh b/hacking/tests/selinux/build.sh new file mode 100755 index 00000000000..c378f0ff16a --- /dev/null +++ b/hacking/tests/selinux/build.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -x +set -e +checkmodule -Mmo ansible-podman.mod ansible-podman.te +semodule_package -o ansible-podman.pp -m ansible-podman.mod + +set +x +echo "Module built. Now run this as root:" +echo "semodule -i $(pwd)/ansible-podman.pp"