Templatize SELinux configuration
This commit is contained in:
@@ -1,5 +1,3 @@
|
|||||||
---
|
---
|
||||||
# defaults file for ensure_selinux
|
# defaults file for ensure_selinux
|
||||||
selinux_policy: 'targeted'
|
|
||||||
selinux_state: 'enforcing'
|
|
||||||
|
|
||||||
|
|||||||
110
tasks/main.yml
110
tasks/main.yml
@@ -1,12 +1,116 @@
|
|||||||
---
|
---
|
||||||
# tasks file for ensure_selinux
|
# tasks file for ensure_selinux
|
||||||
- name: 'Ensure SELinux is enforcing'
|
- name: 'include variables'
|
||||||
|
when:
|
||||||
|
- ansible_system == 'Linux'
|
||||||
|
include_vars:
|
||||||
|
file: '{{ lookup("first_found", findme ) }}'
|
||||||
|
name: 'ensure_selinux'
|
||||||
|
vars:
|
||||||
|
findme:
|
||||||
|
files:
|
||||||
|
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml'
|
||||||
|
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-default.yml'
|
||||||
|
- '{{ ansible_distribution }}-default.yml'
|
||||||
|
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml'
|
||||||
|
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-default.yml'
|
||||||
|
- '{{ ansible_os_family }}-default.yml'
|
||||||
|
- 'default.yml'
|
||||||
|
paths:
|
||||||
|
- '../vars/'
|
||||||
|
errors: 'ignore'
|
||||||
|
- name: 'package discovery'
|
||||||
|
when:
|
||||||
|
- ansible_system == 'Linux'
|
||||||
|
- packages is not defined
|
||||||
|
ansible.builtin.package_facts:
|
||||||
|
- name: 'service discovery'
|
||||||
|
when:
|
||||||
|
- ansible_system == 'Linux'
|
||||||
|
- services is not defined
|
||||||
|
ansible.builtin.service_facts:
|
||||||
|
- name: 'ensure packages'
|
||||||
|
when:
|
||||||
|
- ansible_system == 'Linux'
|
||||||
|
- ensure_selinux is defined
|
||||||
|
- ensure_selinux.package_list is defined
|
||||||
|
- ensure_selinux.package_list is iterable
|
||||||
|
- packages[item.name] is not defined
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: '{{ item.name }}'
|
||||||
|
state: '{{ item.state }}'
|
||||||
|
loop: '{{ ensure_selinux.package_list }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.name }} will be {{ item.state }}'
|
||||||
|
notify:
|
||||||
|
- 'ensure_selinux.package_facts'
|
||||||
|
- 'ensure_selinux.service_facts'
|
||||||
|
- name: 'ensure configurations'
|
||||||
|
when:
|
||||||
|
- ansible_system == 'Linux'
|
||||||
|
- ensure_selinux is defined
|
||||||
|
- ensure_selinux.template_list is defined
|
||||||
|
- ensure_selinux.template_list is iterable
|
||||||
|
ansible.builtin.template:
|
||||||
|
backup: 'no'
|
||||||
|
dest: '{{ item.dest }}'
|
||||||
|
group: '{{ item.group | default(omit) }}'
|
||||||
|
mode: '{{ item.mode | default(omit) }}'
|
||||||
|
owner: '{{ item.owner | default(omit) }}'
|
||||||
|
selevel: '{{ iteml.selevel | default(omit) }}'
|
||||||
|
serole: '{{ item.serole | default(omit) }}'
|
||||||
|
setype: '{{ item.setype | default(omit) }}'
|
||||||
|
seuser: '{{ item.seuser | default(omit) }}'
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
loop: '{{ ensure_selinux.template_list }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.dest }} will be ensured'
|
||||||
|
notify:
|
||||||
|
- 'ensure_selinux.package_facts'
|
||||||
|
- 'ensure_selinux.service_facts'
|
||||||
|
- name: 'ensure services'
|
||||||
|
when:
|
||||||
|
- ansible_system == 'Linux'
|
||||||
|
- ensure_selinux is defined
|
||||||
|
- ensure_selinux.service_list is defined
|
||||||
|
- ensure_selinux.service_list is iterable
|
||||||
|
ansible.builtin.service:
|
||||||
|
enabled: '{{ item.enabled }}'
|
||||||
|
name: '{{ item.name }}'
|
||||||
|
state: '{{ item.state }}'
|
||||||
|
loop: '{{ ensure_selinux.service_list }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.name }} will be {{ item.state }}'
|
||||||
|
notify:
|
||||||
|
- 'ensure_selinux.package_facts'
|
||||||
|
- 'ensure_selinux.service_facts'
|
||||||
|
- name: 'Ensure SELinux is configured'
|
||||||
|
when:
|
||||||
|
- ansible_system == 'Linux'
|
||||||
|
- ensure_selinux is defined
|
||||||
|
- ensure_selinux.selinux_policy is defined
|
||||||
|
- ensure_selinux.selinux_state is defined
|
||||||
ansible.posix.selinux:
|
ansible.posix.selinux:
|
||||||
policy: '{{ selinux_policy }}'
|
policy: '{{ ensure_selinux.selinux_policy }}'
|
||||||
state: '{{ selinux_state }}'
|
state: '{{ ensure_selinux.selinux_state }}'
|
||||||
register: 'results'
|
register: 'results'
|
||||||
- name: 'Reboot if required'
|
- name: 'Reboot if required'
|
||||||
when:
|
when:
|
||||||
- results.reboot_required
|
- results.reboot_required
|
||||||
reboot:
|
reboot:
|
||||||
|
- name: 'ensure seboolean'
|
||||||
|
when:
|
||||||
|
- ansible_system == 'Linux'
|
||||||
|
- ensure_selinux is defined
|
||||||
|
- ensure_selinux.seboolean_list is defined
|
||||||
|
- ensure_selinux.seboolean_list is iterable
|
||||||
|
ansible.posix.seboolean:
|
||||||
|
name: '{{ item.name }}'
|
||||||
|
persistent: '{{ item.persistent }}'
|
||||||
|
state: '{{ item.state }}'
|
||||||
|
loop: '{{ ensure_selinux.seboolean_list }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.name }} will be {{ item.state }}'
|
||||||
|
- name: 'flush handlers'
|
||||||
|
meta: 'flush_handlers'
|
||||||
|
|
||||||
|
|||||||
14
vars/Fedora-34-default.yml
Normal file
14
vars/Fedora-34-default.yml
Normal file
@@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
# vars file for ensure_selinux
|
||||||
|
package_list:
|
||||||
|
- name: 'python3-libselinux'
|
||||||
|
state: 'present'
|
||||||
|
- name: 'python3-libsemanage'
|
||||||
|
state: 'present'
|
||||||
|
seboolean_list:
|
||||||
|
- name: 'antivirus_can_scan_system'
|
||||||
|
persistent: 'yes'
|
||||||
|
state: 'yes'
|
||||||
|
selinux_policy: 'targeted'
|
||||||
|
selinux_state: 'enforcing'
|
||||||
|
|
||||||
2
vars/defaults.yml
Normal file
2
vars/defaults.yml
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
# vars file for ensure_selinux
|
||||||
Reference in New Issue
Block a user