podman: Allow containers to read system certificates
This commit is contained in:
parent
7349c688c5
commit
613beb7ddf
3 changed files with 37 additions and 0 deletions
BIN
roles/podman/files/podman-certs.pp
Normal file
BIN
roles/podman/files/podman-certs.pp
Normal file
Binary file not shown.
12
roles/podman/files/podman-certs.te
Normal file
12
roles/podman/files/podman-certs.te
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
|
||||||
|
module podman-certs 1.0;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type cert_t;
|
||||||
|
type container_t;
|
||||||
|
class file { open read };
|
||||||
|
}
|
||||||
|
|
||||||
|
#============= container_t ==============
|
||||||
|
allow container_t cert_t:file read;
|
||||||
|
allow container_t cert_t:file open;
|
||||||
|
|
@ -9,3 +9,28 @@
|
||||||
name: httpd_can_network_connect
|
name: httpd_can_network_connect
|
||||||
state: true
|
state: true
|
||||||
persistent: true
|
persistent: true
|
||||||
|
|
||||||
|
- name: copy selinux module
|
||||||
|
copy:
|
||||||
|
dest: /usr/local/share/selinux/podman-certs.pp
|
||||||
|
src: podman-certs.pp
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: "{{ ansible_wheel }}"
|
||||||
|
|
||||||
|
- name: check if selinux module is loaded
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- semodule
|
||||||
|
- -l
|
||||||
|
register: result
|
||||||
|
check_mode: false
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: insall selinux module
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- semodule
|
||||||
|
- -i
|
||||||
|
- /usr/local/share/selinux/podman-certs.pp
|
||||||
|
when: '"podman-certs" not in result.stdout_lines'
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue