SElinux context for /etc/redis/sentinel.conf* files

Add redis_conf_t
Restore context in case file was recreated

Author: Peter-Sh

configs/redis-sentinel.service

@@ -5,6 +5,8 @@ Documentation=http://redis.io/documentation
 
 [Service]
 Type=notify
+# Try to restore context for sentinel.conf* as sentinel needs to write into these files
+ExecStartPre=-/bin/sh -c "[ -x /sbin/restorecon ] && /sbin/restorecon '/etc/redis/sentinel.conf*'"
 ExecStart=/usr/bin/redis-sentinel /etc/redis/sentinel.conf
 TimeoutStopSec=0
 Restart=always
@@ -22,6 +24,8 @@ ReadOnlyDirectories=/
 ReadWriteDirectories=-/var/lib/redis
 ReadWriteDirectories=-/var/log/redis
 ReadWriteDirectories=-/run/sentinel
+# To run restorecon in ExecStartPre
+PermissionsStartOnly=yes
 
 NoNewPrivileges=true
 CapabilityBoundingSet=CAP_SYS_RESOURCE

scripts/postinstall.sh

@@ -10,6 +10,11 @@ if command -v checkmodule &> /dev/null && command -v semodule_package &> /dev/nu
     semodule -i /usr/share/selinux/packages/redis-ce.pp
 fi
 
+# Allow writing to /etc/redis/sentinel.conf* for redis-sentinel
+if command -v semanage &> /dev/null; then
+    semanage fcontext -a -t redis_conf_t '/etc/redis/sentinel.conf*'
+fi
+
 #
 # Handle service setup
 # $1 will be 1 for initial install and 2 for upgrade