podman: Allow containers to read system certificates

2022-07-09 16:09:00 +00:00 · 2022-07-09 16:09:00 +00:00 · 613beb7ddf
commit 613beb7ddf
parent 7349c688c5
3 changed files with 37 additions and 0 deletions
--- a/roles/podman/files/podman-certs.pp
+++ b/roles/podman/files/podman-certs.pp
--- a/roles/podman/files/podman-certs.te
+++ b/roles/podman/files/podman-certs.te
@ -0,0 +1,12 @@
+
+module podman-certs 1.0;
+
+require {
+	type cert_t;
+	type container_t;
+	class file { open read };
+}
+
+#============= container_t ==============
+allow container_t cert_t:file read;
+allow container_t cert_t:file open;
--- a/roles/podman/tasks/main.yml
+++ b/roles/podman/tasks/main.yml
@ -9,3 +9,28 @@
    name: httpd_can_network_connect
    state: true
    persistent: true
+
+- name: copy selinux module
+  copy:
+    dest: /usr/local/share/selinux/podman-certs.pp
+    src: podman-certs.pp
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: check if selinux module is loaded
+  command:
+    argv:
+      - semodule
+      - -l
+  register: result
+  check_mode: false
+  changed_when: false
+
+- name: insall selinux module
+  command:
+    argv:
+      - semodule
+      - -i
+      - /usr/local/share/selinux/podman-certs.pp
+  when: '"podman-certs" not in result.stdout_lines'