This is an automated email from the ASF dual-hosted git repository.
machristie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airavata.git
The following commit(s) were added to refs/heads/master by this push:
new 61ee916aad AIRAVATA-3609 SELinux updates for tusd role
61ee916aad is described below
commit 61ee916aad4bec504eda7c74f92550037ac15695
Author: Marcus Christie <[email protected]>
AuthorDate: Tue Aug 2 17:34:53 2022 -0400
AIRAVATA-3609 SELinux updates for tusd role
---
dev-tools/ansible/roles/tusd/files/my-tusd.te | 32 +++++++++++++++++++
dev-tools/ansible/roles/tusd/tasks/main.yml | 46 +++++++++++++++++++++++++++
2 files changed, 78 insertions(+)
diff --git a/dev-tools/ansible/roles/tusd/files/my-tusd.te
b/dev-tools/ansible/roles/tusd/files/my-tusd.te
new file mode 100644
index 0000000000..1c2cdbefd2
--- /dev/null
+++ b/dev-tools/ansible/roles/tusd/files/my-tusd.te
@@ -0,0 +1,32 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+module my-tusd 1.0;
+
+require {
+ type init_t;
+ type user_home_t;
+ class file { execute execute_no_trans open read };
+}
+
+#============= init_t ==============
+allow init_t user_home_t:file execute_no_trans;
+
+#!!!! This avc is allowed in the current policy
+allow init_t user_home_t:file { execute open read };
diff --git a/dev-tools/ansible/roles/tusd/tasks/main.yml
b/dev-tools/ansible/roles/tusd/tasks/main.yml
index 928a3caf05..af7807abe0 100644
--- a/dev-tools/ansible/roles/tusd/tasks/main.yml
+++ b/dev-tools/ansible/roles/tusd/tasks/main.yml
@@ -54,6 +54,17 @@
immediate: yes
become: yes
+- name: check if SSL certificate exists
+ stat:
+ path: "{{ tusd_ssl_certificate_file }}"
+ register: stat_tusd_ssl_cert_result
+ become: yes
+
+- name: generate certificate if it doesn't exist
+ command: certbot --apache --non-interactive --agree-tos --email "{{
letsencrypt_email }}" -d {{ tusd_vhost_servername }} certonly
+ become: yes
+ when: not stat_tusd_ssl_cert_result.stat.exists
+
- name: copy SSL enabled tusd virtual host config file
template:
src: "tus-vhost.conf.j2"
@@ -70,6 +81,41 @@
- restart httpd
when: ansible_os_family == "Debian"
+- name: double check policycoreutils installed (CentOS)
+ yum: name=policycoreutils-python state=installed
+ become: yes
+ when: ansible_distribution == "CentOS"
+
+- name: double check policycoreutils installed (Rocky)
+ dnf: name=python3-policycoreutils state=installed
+ become: yes
+ when: ansible_distribution == "Rocky"
+
+- name: Copy SELinux type enforcement file
+ copy: src=my-tusd.te dest=/tmp/
+
+- name: Compile SELinux module file
+ command: checkmodule -M -m -o /tmp/my-tusd.mod /tmp/my-tusd.te
+
+- name: Build SELinux policy package
+ command: semodule_package -o /tmp/my-tusd.pp -m /tmp/my-tusd.mod
+
+- name: unLoad SELinux policy package
+ command: semodule -r my-tusd
+ become: yes
+ ignore_errors: True
+
+- name: Load SELinux policy package
+ command: semodule -i /tmp/my-tusd.pp
+ become: yes
+
+- name: Remove temporary files
+ file: path={{ item }} state=absent
+ with_items:
+ - /tmp/my-tusd.mod
+ - /tmp/my-tusd.pp
+ - /tmp/my-tusd.te
+
- name: copy tus.service systemd unit file
template:
src: "tus.service.j2"
