Add a custom policy for hackers using ansible-test (#68535)

Signed-off-by: Rick Elrod <rick@elrod.me>

3 files changed, 48 insertions, 0 deletions

diff --git a/hacking/tests/selinux/README.md b/hacking/tests/selinux/README.md
new file mode 100644
index 0000000000..95c2b9e89e
--- /dev/null
+++ b/hacking/tests/selinux/README.md
@@ -0,0 +1,22 @@
+# ansible-podman selinux module
+
+On Fedora-derived systems (and possibly others), selinux can prevent podman
+from running the way we need it to for our tests to work.
+
+Loading this module (hopefully) allows you to
+[keep selinux enabled](https://stopdisablingselinux.com/) and still be able to
+run our tests.
+
+To use it, just run:
+
+```
+./build.sh
+```
+
+...which will build the module. Then run:
+
+```
+sudo semodule -i ansible-podman.pp
+```
+
+to insert and enable the module.
diff --git a/hacking/tests/selinux/ansible-podman.te b/hacking/tests/selinux/ansible-podman.te
new file mode 100644
index 0000000000..f2a786c184
--- /dev/null
+++ b/hacking/tests/selinux/ansible-podman.te
@@ -0,0 +1,17 @@
+module ansible-podman 1.0;
+
+require {
+        type container_t;
+        type cgroup_t;
+        type fusefs_t;
+        class dir { add_name create remove_name rmdir write };
+        class file { create relabelto write };
+        class bpf map_create;
+}
+
+
+allow container_t cgroup_t:dir { add_name create remove_name rmdir write };
+
+allow container_t cgroup_t:file { create write };
+allow container_t fusefs_t:file relabelto;
+allow container_t self:bpf map_create;
diff --git a/hacking/tests/selinux/build.sh b/hacking/tests/selinux/build.sh
new file mode 100755
index 0000000000..c378f0ff16
--- /dev/null
+++ b/hacking/tests/selinux/build.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -x
+set -e
+checkmodule -Mmo ansible-podman.mod ansible-podman.te
+semodule_package -o ansible-podman.pp -m ansible-podman.mod
+
+set +x
+echo "Module built. Now run this as root:"
+echo "semodule -i $(pwd)/ansible-podman.pp"