Hello ALL,
I'm working on a linux-system-role-selinux.
Expected functionality:
- Set enforcing/permissive
- restorecon portions of filesystem tree
- Set/Get Booleans
- Set/Get file contexts
- Manage logins
- Manage ports
Available modules in Ansible:
- selinux
- seboolean
- sefcontext
- seport
*Looking for a review of my code!*
tasks/main.yml:
---
- name: Install SELinux python2 tools for EL 7
package:
name:
- libselinux-python
- policycoreutils-python
state: present
when: (ansible_distribution_major_version|int <= 7) and
(ansible_python_version is version('3', '<'))
- name: Install SELinux python3 tools for EL 7
package:
name:
- libselinux-python3
- policycoreutils-python3
state: present
when: (ansible_distribution_major_version|int <= 7) and
(ansible_python_version is version('3', '>='))
- name: Install SELinux python3 tools for EL 8
package:
name:
- python3-libselinux
- policycoreutils-python-utils
state: present
when: (ansible_distribution_major_version|int >= 8)
- name: Refresh facts ensuring SELinux status is available
setup:
filter: ansible_selinux
-name: Install SELinux tool semanage
package:
name:
- policycoreutils-python-utils
state: present
when: ansible_distribution == "RedHat" or
( ansible_distribution_major_version > "7" and
( ansible_distribution == "CentOS" or ansible_distribution ==
"Fedora"))
- name: Set permanent SELinux state if enabled
selinux:
state: "{{ selinux_state | default(ansible_selinux.config_mode, true)
}}"
policy: "{{ selinux_policy | default(ansible_selinux.type, true) }}"
register: selinux_mod_output_enabled
when: ansible_selinux.status == "enabled" ans ( selinux_state or
selinux_policy )
- name: Set permanent SELinux state if disabled
selinux:
state: "{{ selinux_state }}"
policy: "{{ selinux_policy | default('targeted', true) }}"
register: selinux_mod_output_disabled
when: ansible_selinux.status == "disabled" and selinux_state
- name: Set ansible facts if neded
set_fact:
selinux_reboot_required: "{{ selinux_mod_output_enabled.reboot_required
if ( selinux_mod_output_enabled.reboot_required is defined ) else (
selinux_mod_output_disabled.reboot_required | default(false) ) }}"
- name: Fail if reboot is reboot_required
fail:
msg: "Reboot is required to apply changes. Re-execute the role after
boot."
when: selinux_reboot_required
- debug:
msg: "SELinux is disabled on system - some SELinux modules can crash"
when: ansible_selinux.status == "disabled"
- name: Drop all local modifications
command: /usr/sbin/semanage -i -
args:
stdin: "{{ drop_local_modifications }}"
when: selinux_all_purge | bool
- name: Purge all SELinux boolean local modifications
command: /usr/sbin/semanage boolean -D
when: selinux_booleans_purge | bool
- name: Purge all SELinux file context local modifications
command: /usr/sbin/semanage fcontext -D
when: selinux_fcontexts_purge | bool
- name: Purge all SELinux port local modifications
command: /usr/sbin/semanage port -D
when: selinux_ports_purge | bool
- name: Purge all SELinux login local modifications
command: /usr/sbin/semanage login -D
when: selinux_logins_purge | bool
- name: Reload SELinux policy
command: semodule -R
when: ansible_selinux.status != "disabled"
- name: Set SELinux boolean states
seboolean:
name: "{{ item.name }}"
state: "{{ item.state }}"
persistent: "{{ item.persistent|default('no') }}"
with_items: "{{ selinux_booleans }}"
when: ('status' in ansible_selinux) and (ansible_selinux.status !=
'disabled')
- name: Set SELinux file context mapping definitions
sefcontext:
target: "{{ item.target }}"
setype: "{{ item.setype }}"
ftype: "{{ item.ftype | default('a') }}"
selevel: "{{ item.selevel | default(omit) }}"
seuser: "{{ item.seuser | default(omit) }}"
state: "{{ item.state | default('present') }}"
with_items: "{{ selinux_fcontexts }}"
when: ('status' in ansible_selinux) and (ansible_selinux.status !=
'disabled')
- name: Restore SELinux labels on filesystem tree
command: /sbin/restorecon -R -v {{ item }}
with_items: "{{ selinux_restore_dirs }}"
register: restorecon_cmd
changed_when: '"Relabeled" in restorecon_cmd.stdout'
- name: Restore SELinux labels on filesystem tree in check mode
command: /sbin/restorecon -R -v -n {{ item }}
with_items: "{{ selinux_restore_dirs }}"
register: restorecon_cmd
changed_when: '"Would relabel" in restorecon_cmd.stdout'
check_mode: no
when: ansible_check_mode
- name: Set SELinux port type definitions
seport:
ports: "{{ item.ports }}"
proto: "{{ item.proto | default('tcp') }}"
setype: "{{ item.setype }}"
state: "{{ item.state | default(present) }}"
with_items: "{{ selinux_ports }}"
when: ('status' in ansible_selinux) and (ansible_selinux.status !=
'disabled')
- name: Set linux user to SELinux user mappings
selogin:
login: "{{ item.login }}"
seuser: "{{ item.seuser }}"
serange: "{{ item.serange | default('s0') }}"
selevel: "{{ item.selevel | default('s0') }}"
state: "{{ item.state | default(present) }}"
reload: "{{ item.reload | default(False) }}"
with_items: "{{ selinux_logins }}"
when: ('status' in ansible_selinux) and (ansible_selinux.status !=
'disabled')
- name: Set SELinux permissive domains policy
selinux_permissive:
domain: "{{ item.domain }}"
permissive: "{{ item.permissive }}"
no_reload: "{{ item.no_reload | default(False) }}"
with_items: "{{ selinux_permissives }}"
when: ('status' in ansible_selinux) and (ansible_selinux.status !=
'disabled')
General usage is demonstarted in selinux-playbook.yml playbook.
selinux-playbook.yml:
---
- hosts: all
become: true
become_method: sudo
become_user: root
vars:
selinux_policy: targeted
selinux_state: enforcing
selinux_booleans:
- { name: 'samba_enable_home_dirs', state: 'on' }
- { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }
selinux_fcontexts:
- { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype:
'd' }
selinux_restore_dirs:
- /tmp/test_dir
selinux_ports:
- { ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state:
'present' }
selinux_logins:
- { login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023',
state: 'present' }
# prepare prerequisites which are used in this playbook
tasks:
- name: Creates directory
file:
path: /tmp/test_dir
state: directory
- name: Add a Linux System Roles SELinux User
user:
comment: Linux System Roles SELinux User
name: sar-user
- name: execute the role and catch errors
block:
- include_role:
name: linux-system-roles.selinux
rescue:
# Fail if failed for a different reason than
selinux_reboot_required.
- name: handle errors
fail:
msg: "role failed"
when: not selinux_reboot_required
- name: restart managed host
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
- name: wait for managed host to come back
wait_for_connection:
delay: 10
timeout: 300
- name: reapply the role
include_role:
name: linux-system-roles.selinux
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/3f54a646-8d5a-4660-9711-7271a627c669n%40googlegroups.com.
