From 2bdb7313201aebe18951bd64ff12013562f97ab3 Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Fri, 5 Aug 2022 14:43:36 +0200
Subject: [PATCH]  adding iptables exception SE Linux policies

---
 roles/rke2/selinux/my-iptables.te | 10 ++++++++++
 roles/rke2/tasks/main.yml         |  2 +-
 roles/rke2/tasks/setup_host.yml   | 31 +++++++++++++++++++++----------
 3 files changed, 32 insertions(+), 11 deletions(-)
 create mode 100644 roles/rke2/selinux/my-iptables.te

diff --git a/roles/rke2/selinux/my-iptables.te b/roles/rke2/selinux/my-iptables.te
new file mode 100644
index 0000000..9234d0f
--- /dev/null
+++ b/roles/rke2/selinux/my-iptables.te
@@ -0,0 +1,10 @@
+module my-iptables 1.0;
+
+require {
+        type iptables_t;
+        type cgroup_t;
+        class dir ioctl;
+}
+
+#============= iptables_t ==============
+allow iptables_t cgroup_t:dir ioctl;
\ No newline at end of file
diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml
index f65e0c7..38293ae 100644
--- a/roles/rke2/tasks/main.yml
+++ b/roles/rke2/tasks/main.yml
@@ -6,7 +6,7 @@
 - block:
   - include_tasks: setup_host.yml
   - include_tasks: install_rke2.yml
- # when: ( not rke2_installed.stat.exists and state != 'absent' ) or (upgrade and state != 'absent' )
+  when: ( not rke2_installed.stat.exists and state != 'absent' ) or (upgrade and state != 'absent' )
 
 - include_tasks: templates.yml
   when: "state != 'absent' and 'master' in group_names  "
diff --git a/roles/rke2/tasks/setup_host.yml b/roles/rke2/tasks/setup_host.yml
index 8bdcd7c..fefb629 100644
--- a/roles/rke2/tasks/setup_host.yml
+++ b/roles/rke2/tasks/setup_host.yml
@@ -71,21 +71,26 @@
     name: etcd
     group: etcd
 
+- name: Reboot but not on upgrades, so kernel updates only install at initial runs 
+  ansible.builtin.reboot:
+    reboot_timeout: 3600
+  when: ( not upgrade ) 
 
 - name: Download root CA
   get_url:
     url: https://curl.se/ca/cacert.pem
     dest: /etc/ssl/certs
 
-- name: Update CA trust
-  shell: update-ca-trust
-  
 - name: Disable SELinux
   selinux:
     policy: targeted
     state: permissive
   when: ( 'control-plane' in group_names )
 
+- name: Update CA trust
+  shell: update-ca-trust
+  
+
 - name: Copy SELinux Policies
   template:
     src: ../selinux/my-openstack.te
@@ -99,6 +104,19 @@
     semodule -i /etc/selinux/targeted/policy/my-openstack.pp
   when: ( 'control-plane' in group_names )
 
+- name: Copy SELinux Policies for new Kernel ()
+  template:
+    src: ../selinux/my-iptables.te
+    dest: /etc/selinux/targeted/policy/my-iptables.te
+  #when: ( 'control-plane' in group_names )
+
+- name: Build SELinux exception module & allow xtables-nft-multi ioctl access on the cgroup directory
+  shell: |
+    checkmodule -M -m -o /etc/selinux/targeted/policy/my-iptables.mod /etc/selinux/targeted/policy/my-iptables.te
+    semodule_package -o /etc/selinux/targeted/policy/my-iptables.pp -m /etc/selinux/targeted/policy/my-iptables.mod
+    semodule -i /etc/selinux/targeted/policy/my-iptables.pp
+  #when: ( 'control-plane' in group_names )
+
 - name: Ensure /var/lib/rancher/rke2/server/manifests
   file:
     path: /var/lib/rancher/rke2/server/manifests
@@ -111,10 +129,3 @@
     state: directory
     recurse: yes
 
-#- name: reboot (make sure SELinux is off)
-#  shell: |
-#    systemctl reboot
-- name: Reboot but not on upgrades, so kernel updates only install at initial runs 
-  ansible.builtin.reboot:
-    reboot_timeout: 3600
-  when: ( not upgrade ) 
\ No newline at end of file
-- 
GitLab