Git Product home page Git Product logo

ansible-role-selinux's Introduction

Ansible role selinux

Install and configure selinux and its required libraries on your system.

GitHub GitLab Downloads Version
github gitlab downloads Version

Example Playbook

This example is taken from molecule/default/converge.yml and is tested on each push, pull request and release.

---
- name: Converge
  hosts: all
  become: true
  gather_facts: true

  roles:
    - role: robertdebock.selinux
      selinux_reboot: false
      selinux_booleans:
        - name: http_can_network_connect
        - name: abrt_anon_write
          state: false
          persistent: false

The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml:

---
- name: Prepare
  hosts: all
  become: true
  gather_facts: false

  roles:
    - role: robertdebock.bootstrap

Also see a full explanation and example on how to use these roles.

Role Variables

The default values for the variables are set in defaults/main.yml:

---
# defaults file for selinux

# The state, either disabled, permissive or enforcing.
selinux_state: enforcing

# The policy, default: see vars/main.yml.
# The policy differs per distribution, mostly because Debian and Ubuntu use 'default' and other distributions use 'targeted'.
selinux_policy: "{{ _selinux_policy[ansible_os_family] | default(_selinux_policy['default']) }}"

# Should the machine be rebooted after changes?
selinux_reboot: true

# You can enable (or disable) booleans by specifying them in this list.
# selinux_booleans:
#   - name: http_can_network_connect
#   - name: abrt_anon_write
#     state: false
#     persistent: false

Requirements

State of used roles

The following roles are used to prepare a system. You can prepare your system in another way.

Requirement GitHub GitLab
robertdebock.bootstrap Build Status GitHub Build Status GitLab

Context

This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.

Here is an overview of related roles: dependencies

Compatibility

This role has been tested on these container images:

container tags
Alpine all
Amazon Candidate
EL 9
Debian all
Fedora all
Ubuntu all

The minimum version of Ansible required is 2.12, tests have been done to:

  • The previous version.
  • The current version.
  • The development version.

If you find issues, please register them in GitHub.

License

Apache-2.0.

Author Information

robertdebock

Please consider sponsoring me.

ansible-role-selinux's People

Contributors

robert-de-bock avatar robertdebock avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

vitbyst gpanula chilinot stdevel tonipamies mthibaut dorancemc p2x3yz

ansible-role-selinux's Issues

Conditional check for selinux_reboot incorrect

Describe the bug

It looks like the conditional check for selinux_reboot is incorrect. At least it's not working under Ansible 2.9.6+.

Playbook

requirements.yml:

---
roles:
  - name: robertdebock.selinux
    version: 2.6.1

playbook.yml:

---
- name: Configure server
  hosts: HOSTNAME
  roles:
    - name: robertdebock.selinux
      selinux_state: enforcing
      selinux_reboot: false

Output

TASK [robertdebock.selinux : test if selinux_reboot is set correctly] **********************************************************************************************************************************************
fatal: [HOSTNAME]: FAILED! => {"msg": "The conditional check 'selinux_reboot is bool' failed. The error was: template error while templating string: no test named 'bool'. String: {% if selinux_reboot is bool %} True {% else %} False {% endif %}"}

Environment

  • Control node OS: Pop!_OS 20.04 LTS
  • Control node Ansible version: 2.9.6
  • Managed node OS: CentOS 8.2.2004

ADD seport management feature

Proposed feature

Thanks for this awesome collections of roles.
To be able to manage as much as possible things related to selinux I would propose to integrate .seport tools in this role.

It's vs its

In README -
"Install and configure selinux and its required libraries on your system."

sorry ;)

Missing required python3-policycoreutils package for RedHat

Describe the bug

The robertdebock.selinux role version 2.3.5 (pulled from Ansible Galaxy) is missing required python3-policycoreutils package in vars/main.yml for RedHat:

  Amazon-2018: *rhel7
  RedHat:
    - python3-dnf
    - python3-libselinux
    - python3-libsemanage
    - python3-policycoreutils # <- NEW

This does NOT break the selinux role, but it can cause other roles to break. For example, if I use robertdebug.selinux set to enforce, and then subsequently use the robertdebock.httpd role, the latter fails at:

- name: modify selinux settings
  seboolean:
    name: "{{ item }}"
    state: yes
    persistent: yes
  when:
    - ansible_selinux.status is defined
    - ansible_selinux.status == "enabled"
  loop: "{{ httpd_sebooleans }}"

because the Ansible seboolean module fails due to the missing policycoreutils package.

Thanks,

Jim Reuter

Not working in ansible 2.10

Describe the bug

Running a playbook with the role leads to the following error:

ERROR! couldn't resolve module/action 'selinux'. This often indicates a misspelling, missing collection, or incorrect module path.

The error appears to be in '~/.ansible/roles/robertdebock.selinux/tasks/main.yml': line 12, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

- name: manage selinux
  ^ here

Playbook

- name: Update system and enable SELinux
  become: true
  hosts: all
  roles:
    - role: robertdebock.selinux
      vars:
        selinux_state: enforcing
        selinux_policy: targeted
        # Should the machine be rebooted after changes?
        selinux_reboot: no
  tasks:
    - name: Update system
      command: yum upgrade -y

Environment

  • Control node OS: MacOS 19.6
  • Control node Ansible version: 2.10.0
  • Managed node OS: Amazon LInux 2

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.