From 613beb7ddf320e1551fe42c6d4844acdacb5ad81 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sat, 9 Jul 2022 16:09:00 +0000 Subject: [PATCH] podman: Allow containers to read system certificates --- roles/podman/files/podman-certs.pp | Bin 0 -> 1048 bytes roles/podman/files/podman-certs.te | 12 ++++++++++++ roles/podman/tasks/main.yml | 25 +++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 roles/podman/files/podman-certs.pp create mode 100644 roles/podman/files/podman-certs.te diff --git a/roles/podman/files/podman-certs.pp b/roles/podman/files/podman-certs.pp new file mode 100644 index 0000000000000000000000000000000000000000..22ae496ffd0e5eb757c222896c38afd73084ab99 GIT binary patch literal 1048 zcmb`GQA)&63`OfGA}A=hf!TnfJIIfJ`sD&jZJ$t?X@}YYKiq=2UcWS_?Zq%UAdDB1 z+$8rUrM&n4`TDV!Wf^wn_U8Gi$NQW4ZQZP2=67wiUZk0q&fSn5xq%b6Ra-5K=Aukp z|Ge+{_2rd$*n~D5Obv2IV&Jh}BzojsDk?adc9j~PWi1@E4^OG=^Uj8BblbQjv9I07 z-h^uhTEk5!+omt-CUtp#=q1VY877@aenH-c!mo650wR3?+$PfodcX$%?Z`3d6sbjM zA9JF{LjGSnG(YZVk6=zP=@h96<^)rZI|Xd;qx%czJUVRGSQn}@*T cfJfso=n>3956-0y7dIZ`5|0-(R=xNGUrrh}mjD0& literal 0 HcmV?d00001 diff --git a/roles/podman/files/podman-certs.te b/roles/podman/files/podman-certs.te new file mode 100644 index 0000000..b38eb47 --- /dev/null +++ b/roles/podman/files/podman-certs.te @@ -0,0 +1,12 @@ + +module podman-certs 1.0; + +require { + type cert_t; + type container_t; + class file { open read }; +} + +#============= container_t ============== +allow container_t cert_t:file read; +allow container_t cert_t:file open; diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml index 21a0c6c..8e7acc3 100644 --- a/roles/podman/tasks/main.yml +++ b/roles/podman/tasks/main.yml @@ -9,3 +9,28 @@ name: httpd_can_network_connect state: true persistent: true + +- name: copy selinux module + copy: + dest: /usr/local/share/selinux/podman-certs.pp + src: podman-certs.pp + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + +- name: check if selinux module is loaded + command: + argv: + - semodule + - -l + register: result + check_mode: false + changed_when: false + +- name: insall selinux module + command: + argv: + - semodule + - -i + - /usr/local/share/selinux/podman-certs.pp + when: '"podman-certs" not in result.stdout_lines'