From e122a607d2a61793d86e5194156313b8a469891f Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 27 Feb 2023 03:25:08 +0100
Subject: [PATCH] fix(system-upgrades): Deploy SELinux hotfix for iscsid

This patch fixes issues currently faced by longhorn, where the SELinux
policy denies a DAC_override for iscsid. Since I couldn't find on what
file it even tries to do this override, for now, this override to fix
unmountable volumes.
---
 .../k8s01/system-upgrades/iscsid_hotfix.yaml  | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 clusters/k8s01/system-upgrades/iscsid_hotfix.yaml

diff --git a/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml b/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
new file mode 100644
index 000000000..ba05e9434
--- /dev/null
+++ b/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
@@ -0,0 +1,62 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: fedora-install-iscsi-hotfix
+  namespace: system-upgrade
+type: Opaque
+stringData:
+  iscsid_hotfix.te: |
+    module iscsid_hotfix 1.0;
+
+    require {
+    	type iscsid_t;
+    	class capability dac_override;
+    }
+
+    #============= iscsid_t ==============
+    allow iscsid_t self:capability dac_override;
+
+  install.sh: |
+    #!/bin/sh
+    set -e
+    set -x
+    secrets="$(dirname $0)"
+    semodule_dir="$(mktemp -d)"
+
+    systemd-run --same-dir --wait --collect --service-type=exec dnf install -y selinux-policy-devel
+    systemd-run --same-dir --wait --collect --service-type=exec checkmodule -M -m -o "${semodule_dir}/iscsid_hotfix.mod" "$secrets/iscsid_hotfix.te"
+    systemd-run --same-dir --wait --collect --service-type=exec semodule_package -o "${semodule_dir}/iscsid_hotfix.pp" "${semodule_dir}/iscsid_hotfix.mod"
+    systemd-run --same-dir --wait --collect --service-type=exec semodule -i "${semodule_dir}/iscsid_hotfix.pp"
+
+
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: fedora-iscsi-hotfix
+  namespace: system-upgrade
+spec:
+  concurrency: 1
+  nodeSelector:
+    matchExpressions:
+      - key: feature.node.kubernetes.io/system-os_release.ID
+        operator: In
+        values:
+          - fedora
+      - key: feature.node.kubernetes.io/system-os_release.VERSION_ID.major
+        operator: In
+        values:
+          - "35"
+          - "36"
+          - "37"
+  serviceAccountName: system-upgrade
+  secrets:
+    - name: fedora-install-iscsi-hotfix
+      path: /host/run/system-upgrade/secrets/fedora
+  version: 1.0.0
+  upgrade:
+    image: quay.io/fedora/fedora:36
+    command: ["chroot", "/host"]
+    args: ["sh", "/run/system-upgrade/secrets/fedora/install.sh"]
+
-- 
GitLab