SELinux enabled PGA install
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/dc24945a Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/dc24945a Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/dc24945a Branch: refs/heads/develop Commit: dc24945af0f8c91d3fa68fc1886bf60f4f5a583b Parents: dca8e14 Author: Marcus Christie <[email protected]> Authored: Sat Apr 15 14:57:21 2017 -0400 Committer: Marcus Christie <[email protected]> Committed: Sat Apr 15 14:57:21 2017 -0400 ---------------------------------------------------------------------- dev-tools/ansible/roles/pga/handlers/main.yml | 4 +- dev-tools/ansible/roles/pga/tasks/main.yml | 71 ++++++++++++++++------ 2 files changed, 53 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/dc24945a/dev-tools/ansible/roles/pga/handlers/main.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/handlers/main.yml b/dev-tools/ansible/roles/pga/handlers/main.yml index ff941a9..202da40 100644 --- a/dev-tools/ansible/roles/pga/handlers/main.yml +++ b/dev-tools/ansible/roles/pga/handlers/main.yml @@ -25,9 +25,9 @@ become: yes - name: start httpd - service: name={{ httpd_name[ansible_os_family] }} state=started + service: name={{ httpd_name[ansible_os_family] }} state=started enabled=yes become: yes - name: restart httpd - service: name={{ httpd_name[ansible_os_family] }} state=restarted + service: name={{ httpd_name[ansible_os_family] }} state=restarted enabled=yes become: yes http://git-wip-us.apache.org/repos/asf/airavata/blob/dc24945a/dev-tools/ansible/roles/pga/tasks/main.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/tasks/main.yml b/dev-tools/ansible/roles/pga/tasks/main.yml index dff3002..cb3bb7b 100644 --- a/dev-tools/ansible/roles/pga/tasks/main.yml +++ b/dev-tools/ansible/roles/pga/tasks/main.yml @@ -25,19 +25,10 @@ - include: install_deps_{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml -# - name: Check previous deployments -# stat: path="{{ doc_root_dir }}" get_md5=no get_checksum=no -# register: check - -# Why? if it's new, we just created this dir above... -# if not, can just pull from the git repo in the next task... -#- name: delete previous deployments -# file: path="{{ doc_root_dir }}" state=absent - - name: Git clone php gateway - git: + git: repo: "{{ pga_repo }}" - dest: "{{ doc_root_dir }}" + dest: "{{ doc_root_dir }}" version: "{{ git_branch }}" update: yes force: yes @@ -47,17 +38,50 @@ file: path="{{ user_data_dir }}" state=directory owner="{{user}}" group="{{group}}" mode=0777 recurse=yes become: yes -# - name: Allow selinux outbound connection from web server - # command: setsebool -P httpd_can_network_connect 1 +# SELinux configuration +- name: set selinux to enforcing + selinux: state=enforcing policy=targeted + become: yes + when: ansible_os_family == "RedHat" + +- name: set selinux context to allow read on public directory + sefcontext: + target: "{{ doc_root_dir }}/public(/.*)?" + setype: httpd_sys_content_t + state: present + become: yes + notify: + - restart httpd + when: ansible_os_family == "RedHat" + +- name: set selinux context to allow read/write on storage directory + sefcontext: + target: "{{ doc_root_dir }}/app/storage(/.*)?" + setype: httpd_sys_rw_content_t + state: present + become: yes + notify: + - restart httpd + when: ansible_os_family == "RedHat" + +- name: set selinux context to allow read/write on the user data directory + sefcontext: + target: "{{ user_data_dir }}(/.*)?" + setype: httpd_sys_rw_content_t + state: present + become: yes + notify: + - restart httpd + when: ansible_os_family == "RedHat" -#SHOULD MAKE A PROFILE RATHER THAN DISABLING. SELINUX IS *GOOD* -# going to permissive from enforcing doesn't require a reboot -# permissive allows all, but still logs, allowing easy build -# of a working profile. -- name: set selinux permissive - selinux: state=permissive policy=default +- name: allow httpd to connect out to the network + seboolean: + name: httpd_can_network_connect + state: yes + persistent: yes become: yes - register: selinux_disable + notify: + - restart httpd when: ansible_os_family == "RedHat" - name: Run composer update @@ -85,6 +109,12 @@ file: path="{{ doc_root_dir }}/app/storage" state=directory mode=0777 owner="{{user}}" group="{{group}}" recurse=yes become: yes +# For SELinux, need to apply file contexts, but I'm not sure why since the contexts were created before the files/directories +- name: run restorecon on those directories + command: restorecon -R {{ doc_root_dir }} {{ user_data_dir }} + become: yes + when: ansible_os_family == "RedHat" + - name: Enable https and http service on public zone firewalld: service="{{ item }}" permanent=true state=enabled zone=public immediate=True with_items: @@ -110,4 +140,5 @@ authorized_key: user: "{{user}}" key: "{{ gateway_data_store_ssh_public_key }}" + become: yes when: gateway_data_store_ssh_public_key != ""
