changed selinux disable to permissive Selinux disabling requires reboot, changing to permissive mode does not. Permissive mode logs all potential actions, thus allowing one to build a working selinux profile from the logs, giving potential for a seamless move to enforcing mode (provided one doesn't build a profile from an owned machine...). Added this task to only run on RedHat machines, though selinux *can* and should be installed on Debian as well, not putting time on this till it's a priority.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/193f3b5a Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/193f3b5a Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/193f3b5a Branch: refs/heads/ansible-testing-0.17 Commit: 193f3b5a143c069d4c9f1af655a7094d28ed7150 Parents: bb96168 Author: jecoulte <[email protected]> Authored: Fri Jan 27 11:43:15 2017 -0500 Committer: jecoulte <[email protected]> Committed: Fri Jan 27 11:43:15 2017 -0500 ---------------------------------------------------------------------- dev-tools/ansible/roles/pga/tasks/main.yml | 26 +++++++++---------------- 1 file changed, 9 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/193f3b5a/dev-tools/ansible/roles/pga/tasks/main.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/tasks/main.yml b/dev-tools/ansible/roles/pga/tasks/main.yml index 974ab58..3244e43 100644 --- a/dev-tools/ansible/roles/pga/tasks/main.yml +++ b/dev-tools/ansible/roles/pga/tasks/main.yml @@ -21,26 +21,18 @@ file: path="{{ user_data_dir }}" state=directory owner="{{user}}" group="{{group}}" mode=0777 recurse=yes become: yes - #Make sure selinux is dissabled in remote machine +# - name: Allow selinux outbound connection from web server + # command: setsebool -P httpd_can_network_connect 1 + +#SHOULD MAKE A PROFILE RATHER THAN DISABLING. SELINUX IS *GOOD* +# going to permissive from enforcing doesn't require a reboot +# permissive allows all, but still logs, allowing easy build +# of a working profile. - name: Disable selinux - selinux: state=disabled + selinux: state=permissive policy=default become: yes register: selinux_disable - -# need to restart after disable selinux -- name: restart machine - shell: sleep 2 && shutdown -r now "Ansible updates triggered" - async: 1 - poll: 0 - become: yes - ignore_errors: true - when: (selinux_disable|success) and (selinux_disable.changed == true) - register: restart - -- name: waiting for server to come back - local_action: wait_for host={{ inventory_hostname }} state=started delay=30 timeout=60 - when: (restart|success) and (restart.changed == true) - + when: ansible_os_family == "RedHat" - name: Run composer update composer: command=update working_dir="{{ doc_root_dir }}"
