Templatize SELinux configuration
This commit is contained in:
@@ -1,5 +1,3 @@
|
||||
---
|
||||
# defaults file for ensure_selinux
|
||||
selinux_policy: 'targeted'
|
||||
selinux_state: 'enforcing'
|
||||
|
||||
|
||||
110
tasks/main.yml
110
tasks/main.yml
@@ -1,12 +1,116 @@
|
||||
---
|
||||
# tasks file for ensure_selinux
|
||||
- name: 'Ensure SELinux is enforcing'
|
||||
- name: 'include variables'
|
||||
when:
|
||||
- ansible_system == 'Linux'
|
||||
include_vars:
|
||||
file: '{{ lookup("first_found", findme ) }}'
|
||||
name: 'ensure_selinux'
|
||||
vars:
|
||||
findme:
|
||||
files:
|
||||
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml'
|
||||
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-default.yml'
|
||||
- '{{ ansible_distribution }}-default.yml'
|
||||
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml'
|
||||
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-default.yml'
|
||||
- '{{ ansible_os_family }}-default.yml'
|
||||
- 'default.yml'
|
||||
paths:
|
||||
- '../vars/'
|
||||
errors: 'ignore'
|
||||
- name: 'package discovery'
|
||||
when:
|
||||
- ansible_system == 'Linux'
|
||||
- packages is not defined
|
||||
ansible.builtin.package_facts:
|
||||
- name: 'service discovery'
|
||||
when:
|
||||
- ansible_system == 'Linux'
|
||||
- services is not defined
|
||||
ansible.builtin.service_facts:
|
||||
- name: 'ensure packages'
|
||||
when:
|
||||
- ansible_system == 'Linux'
|
||||
- ensure_selinux is defined
|
||||
- ensure_selinux.package_list is defined
|
||||
- ensure_selinux.package_list is iterable
|
||||
- packages[item.name] is not defined
|
||||
ansible.builtin.package:
|
||||
name: '{{ item.name }}'
|
||||
state: '{{ item.state }}'
|
||||
loop: '{{ ensure_selinux.package_list }}'
|
||||
loop_control:
|
||||
label: '{{ item.name }} will be {{ item.state }}'
|
||||
notify:
|
||||
- 'ensure_selinux.package_facts'
|
||||
- 'ensure_selinux.service_facts'
|
||||
- name: 'ensure configurations'
|
||||
when:
|
||||
- ansible_system == 'Linux'
|
||||
- ensure_selinux is defined
|
||||
- ensure_selinux.template_list is defined
|
||||
- ensure_selinux.template_list is iterable
|
||||
ansible.builtin.template:
|
||||
backup: 'no'
|
||||
dest: '{{ item.dest }}'
|
||||
group: '{{ item.group | default(omit) }}'
|
||||
mode: '{{ item.mode | default(omit) }}'
|
||||
owner: '{{ item.owner | default(omit) }}'
|
||||
selevel: '{{ iteml.selevel | default(omit) }}'
|
||||
serole: '{{ item.serole | default(omit) }}'
|
||||
setype: '{{ item.setype | default(omit) }}'
|
||||
seuser: '{{ item.seuser | default(omit) }}'
|
||||
src: '{{ item.src }}'
|
||||
loop: '{{ ensure_selinux.template_list }}'
|
||||
loop_control:
|
||||
label: '{{ item.dest }} will be ensured'
|
||||
notify:
|
||||
- 'ensure_selinux.package_facts'
|
||||
- 'ensure_selinux.service_facts'
|
||||
- name: 'ensure services'
|
||||
when:
|
||||
- ansible_system == 'Linux'
|
||||
- ensure_selinux is defined
|
||||
- ensure_selinux.service_list is defined
|
||||
- ensure_selinux.service_list is iterable
|
||||
ansible.builtin.service:
|
||||
enabled: '{{ item.enabled }}'
|
||||
name: '{{ item.name }}'
|
||||
state: '{{ item.state }}'
|
||||
loop: '{{ ensure_selinux.service_list }}'
|
||||
loop_control:
|
||||
label: '{{ item.name }} will be {{ item.state }}'
|
||||
notify:
|
||||
- 'ensure_selinux.package_facts'
|
||||
- 'ensure_selinux.service_facts'
|
||||
- name: 'Ensure SELinux is configured'
|
||||
when:
|
||||
- ansible_system == 'Linux'
|
||||
- ensure_selinux is defined
|
||||
- ensure_selinux.selinux_policy is defined
|
||||
- ensure_selinux.selinux_state is defined
|
||||
ansible.posix.selinux:
|
||||
policy: '{{ selinux_policy }}'
|
||||
state: '{{ selinux_state }}'
|
||||
policy: '{{ ensure_selinux.selinux_policy }}'
|
||||
state: '{{ ensure_selinux.selinux_state }}'
|
||||
register: 'results'
|
||||
- name: 'Reboot if required'
|
||||
when:
|
||||
- results.reboot_required
|
||||
reboot:
|
||||
- name: 'ensure seboolean'
|
||||
when:
|
||||
- ansible_system == 'Linux'
|
||||
- ensure_selinux is defined
|
||||
- ensure_selinux.seboolean_list is defined
|
||||
- ensure_selinux.seboolean_list is iterable
|
||||
ansible.posix.seboolean:
|
||||
name: '{{ item.name }}'
|
||||
persistent: '{{ item.persistent }}'
|
||||
state: '{{ item.state }}'
|
||||
loop: '{{ ensure_selinux.seboolean_list }}'
|
||||
loop_control:
|
||||
label: '{{ item.name }} will be {{ item.state }}'
|
||||
- name: 'flush handlers'
|
||||
meta: 'flush_handlers'
|
||||
|
||||
|
||||
14
vars/Fedora-34-default.yml
Normal file
14
vars/Fedora-34-default.yml
Normal file
@@ -0,0 +1,14 @@
|
||||
---
|
||||
# vars file for ensure_selinux
|
||||
package_list:
|
||||
- name: 'python3-libselinux'
|
||||
state: 'present'
|
||||
- name: 'python3-libsemanage'
|
||||
state: 'present'
|
||||
seboolean_list:
|
||||
- name: 'antivirus_can_scan_system'
|
||||
persistent: 'yes'
|
||||
state: 'yes'
|
||||
selinux_policy: 'targeted'
|
||||
selinux_state: 'enforcing'
|
||||
|
||||
2
vars/defaults.yml
Normal file
2
vars/defaults.yml
Normal file
@@ -0,0 +1,2 @@
|
||||
---
|
||||
# vars file for ensure_selinux
|
||||
Reference in New Issue
Block a user