fwdriwer: clean firewall-init selinux module. New order in salt/allinone.sls

salt/allinone.sls

 include:
+  - manager
   - agentdriver
   - graphite
-  - manager
   - monitor-client
   - storagedriver
   - vmdriver

salt/fwdriver/configuration.sls

@@ -89,7 +89,20 @@ openvswitch2:
     - required_in:
       - cmd: ovs-bridge
 
-salt://fwdriver/files/install_selinux_module.sh:
-  cmd.script
+/root/firewall-init.te:
+  file.managed:
+    - source: salt://fwdriver/files/firewall-init.te
+    - template: jinja
+    - mode: 644
+
+firewall-init_semodule:
+  cmd.run:
+    - cwd: /root
+    - user: root
+    - name: checkmodule -M -m -o firewall-init.mod firewall-init.te; semodule_package -o firewall-init.pp -m firewall-init.mod; semodule -i firewall-init.pp
+    - unless: semodule -l |grep -qs ^vmdriver
+    - require:
+      - file: /root/firewall-init.te
+
 {% endif %}
 

salt/fwdriver/files/firewall-init.te

+
+module firewall-init 1.0;
+
+require {
+        type ifconfig_t;
+        type ifconfig_var_run_t;
+        type virtio_device_t;
+        type root_t;
+        class dir mounton;
+        class chr_file { read write };
+}
+
+#============= ifconfig_t ==============
+
+#!!!! This avc is allowed in the current policy
+allow ifconfig_t ifconfig_var_run_t:dir mounton;
+
+#!!!! This avc is allowed in the current policy
+allow ifconfig_t root_t:dir mounton;
+
+#!!!! This avc is allowed in the current policy
+allow ifconfig_t virtio_device_t:chr_file { read write };

salt/fwdriver/files/install_selinux_module.sh

-#!/bin/bash
-
-semodule -i firewall-init.pp
-
-exit 0

salt/network/init.sls

@@ -26,6 +26,9 @@ firewall2:
     - require:
       - network: vm
 
+salt://network/files/fix_dhcp.sh:
+  cmd.script
+
 salt://network/files/reload_firewall.sh:
   cmd.script:
     - template: jinja
@@ -33,9 +36,6 @@ salt://network/files/reload_firewall.sh:
     - require:
       - service: firewall2
 
-salt://network/files/fix_dhcp.sh:
-  cmd.script
-
 isc-dhcp-server:
   service:
     - running