SELinux Role Review

26 views
Skip to first unread message

Keith Mills

unread,
Oct 19, 2020, 10:39:03 AM10/19/20
to Ansible Project
Hello ALL,

I'm working on a linux-system-role-selinux.

Expected functionality:
  • Set enforcing/permissive
  • restorecon portions of filesystem tree
  • Set/Get Booleans
  • Set/Get file contexts
  • Manage logins
  • Manage ports
Available modules in Ansible:
  • selinux
  • seboolean
  • sefcontext
  • seport
Looking for a review of my code!

tasks/main.yml:

---
- name: Install SELinux python2 tools for EL 7
  package:
    name:
      - libselinux-python
      - policycoreutils-python
    state: present
  when: (ansible_distribution_major_version|int <= 7) and (ansible_python_version is version('3', '<'))

- name: Install SELinux python3 tools for EL 7
  package:
    name:
      - libselinux-python3
      - policycoreutils-python3
    state: present
  when: (ansible_distribution_major_version|int <= 7) and (ansible_python_version is version('3', '>='))

- name: Install SELinux python3 tools for EL 8
  package:
    name:
      - python3-libselinux
      - policycoreutils-python-utils
    state: present
  when: (ansible_distribution_major_version|int >= 8)

- name: Refresh facts ensuring SELinux status is available
  setup:
    filter: ansible_selinux

-name: Install SELinux tool semanage
 package:
   name:
     - policycoreutils-python-utils
   state: present
 when: ansible_distribution == "RedHat" or
   ( ansible_distribution_major_version > "7" and 
     ( ansible_distribution == "CentOS" or ansible_distribution == "Fedora"))

- name: Set permanent SELinux state if enabled
  selinux:
    state: "{{ selinux_state | default(ansible_selinux.config_mode, true) }}"
    policy: "{{ selinux_policy | default(ansible_selinux.type, true) }}"
  register: selinux_mod_output_enabled
  when: ansible_selinux.status == "enabled" ans ( selinux_state or selinux_policy )

- name: Set permanent SELinux state if disabled
  selinux:
    state: "{{ selinux_state }}"
    policy: "{{ selinux_policy | default('targeted', true) }}"
  register: selinux_mod_output_disabled
  when: ansible_selinux.status == "disabled" and selinux_state

- name: Set ansible facts if neded
  set_fact:
    selinux_reboot_required: "{{ selinux_mod_output_enabled.reboot_required
  if ( selinux_mod_output_enabled.reboot_required is defined ) else (
  selinux_mod_output_disabled.reboot_required | default(false) ) }}"

- name: Fail if reboot is reboot_required
  fail:
    msg: "Reboot is required to apply changes. Re-execute the role after boot."
  when: selinux_reboot_required

- debug:
    msg: "SELinux is disabled on system - some SELinux modules can crash"
  when: ansible_selinux.status == "disabled"

- name: Drop all local modifications
  command: /usr/sbin/semanage -i -
  args:
    stdin: "{{ drop_local_modifications }}"
  when: selinux_all_purge | bool

- name: Purge all SELinux boolean local modifications
  command: /usr/sbin/semanage boolean -D
  when: selinux_booleans_purge | bool

- name: Purge all SELinux file context local modifications
  command: /usr/sbin/semanage fcontext -D
  when: selinux_fcontexts_purge | bool

- name: Purge all SELinux port local modifications
  command: /usr/sbin/semanage port -D
  when: selinux_ports_purge | bool

- name: Purge all SELinux login local modifications
  command: /usr/sbin/semanage login -D
  when: selinux_logins_purge | bool

- name: Reload SELinux policy
  command: semodule -R
  when: ansible_selinux.status != "disabled"

- name: Set SELinux boolean states
  seboolean:
    name: "{{ item.name }}"
    state: "{{ item.state }}"
    persistent: "{{ item.persistent|default('no') }}"
  with_items: "{{ selinux_booleans }}"
  when: ('status' in ansible_selinux) and (ansible_selinux.status != 'disabled')

- name: Set SELinux file context mapping definitions
  sefcontext:
    target: "{{ item.target }}"
    setype: "{{ item.setype }}"
    ftype: "{{ item.ftype | default('a') }}"
    selevel: "{{ item.selevel | default(omit) }}"
    seuser: "{{ item.seuser | default(omit) }}"
    state: "{{ item.state | default('present') }}"
  with_items: "{{ selinux_fcontexts }}"
  when: ('status' in ansible_selinux) and (ansible_selinux.status != 'disabled')

- name: Restore SELinux labels on filesystem tree
  command: /sbin/restorecon -R -v {{ item }}
  with_items: "{{ selinux_restore_dirs }}"
  register: restorecon_cmd
  changed_when: '"Relabeled" in restorecon_cmd.stdout'

- name: Restore SELinux labels on filesystem tree in check mode
  command: /sbin/restorecon -R -v -n {{ item }}
  with_items: "{{ selinux_restore_dirs }}"
  register: restorecon_cmd
  changed_when: '"Would relabel" in restorecon_cmd.stdout'
  check_mode: no
  when: ansible_check_mode

- name: Set SELinux port type definitions
  seport:
    ports: "{{ item.ports }}"
    proto: "{{ item.proto | default('tcp') }}"
    setype: "{{ item.setype }}"
    state: "{{ item.state | default(present) }}"
  with_items: "{{ selinux_ports }}"
  when: ('status' in ansible_selinux) and (ansible_selinux.status != 'disabled')

- name: Set linux user to SELinux user mappings
  selogin:
    login: "{{ item.login }}"
    seuser: "{{ item.seuser }}"
    serange: "{{ item.serange | default('s0') }}"
    selevel: "{{ item.selevel | default('s0') }}"
    state: "{{ item.state | default(present) }}"
    reload: "{{ item.reload | default(False) }}"
  with_items: "{{ selinux_logins }}"
  when: ('status' in ansible_selinux) and (ansible_selinux.status != 'disabled')

- name: Set SELinux permissive domains policy
  selinux_permissive:
    domain: "{{ item.domain }}"
    permissive: "{{ item.permissive }}"
    no_reload: "{{ item.no_reload | default(False) }}"
  with_items: "{{ selinux_permissives }}"
  when: ('status' in ansible_selinux) and (ansible_selinux.status != 'disabled')

General usage is demonstarted in selinux-playbook.yml playbook.

selinux-playbook.yml:

---

- hosts: all
  become: true
  become_method: sudo
  become_user: root
  vars:
    selinux_policy: targeted
    selinux_state: enforcing
    selinux_booleans:
      - { name: 'samba_enable_home_dirs', state: 'on' }
      - { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }
    selinux_fcontexts:
      - { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd' }
    selinux_restore_dirs:
      - /tmp/test_dir
    selinux_ports:
      - { ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present' }
    selinux_logins:
      - { login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }

  # prepare prerequisites which are used in this playbook
  tasks:
    - name: Creates directory
      file:
        path: /tmp/test_dir
        state: directory
    - name: Add a Linux System Roles SELinux User
      user:
        comment: Linux System Roles SELinux User
        name: sar-user
    - name: execute the role and catch errors
      block:
        - include_role:
            name: linux-system-roles.selinux
      rescue:
        # Fail if failed for a different reason than selinux_reboot_required.
        - name: handle errors
          fail:
            msg: "role failed"
          when: not selinux_reboot_required

        - name: restart managed host
          shell: sleep 2 && shutdown -r now "Ansible updates triggered"
          async: 1
          poll: 0
          ignore_errors: true

        - name: wait for managed host to come back
          wait_for_connection:
            delay: 10
            timeout: 300

        - name: reapply the role
          include_role:
            name: linux-system-roles.selinux




Reply all
Reply to author
Forward
0 new messages