ansible-role-nginx/tasks/prerequisites/setup-selinux.yml

82 lines
2.6 KiB
YAML
Raw Normal View History

---
2020-09-19 17:32:17 +02:00
- name: (CentOS/RHEL) Install dependencies
2020-09-15 21:27:06 +02:00
block:
- name: (CentOS/RHEL 7) Install dependencies
ansible.builtin.yum:
2020-09-15 21:27:06 +02:00
name:
- policycoreutils-python
- setools
when: ansible_facts['distribution_major_version'] is version('8', '!=')
2022-02-16 19:13:13 +01:00
- name: (RHEL 8) Install dependencies
ansible.builtin.yum:
2020-09-15 21:27:06 +02:00
name:
- libselinux-utils
- policycoreutils
- selinux-policy-targeted
when: ansible_facts['distribution_major_version'] is version('8', '==')
when: ansible_facts['os_family'] == "RedHat"
2020-09-19 17:32:17 +02:00
- name: Set SELinux mode to permissive
ansible.builtin.selinux:
state: permissive
policy: targeted
2020-09-19 17:32:17 +02:00
- name: Allow SELinux HTTP network connections
ansible.builtin.seboolean:
name: httpd_can_network_connect
state: true
persistent: true
2020-09-19 17:32:17 +02:00
- name: Allow SELinux HTTP network connections
ansible.builtin.seboolean:
name: httpd_can_network_relay
state: true
persistent: true
2020-09-19 17:32:17 +02:00
- name: Allow SELinux TCP connections on specific ports
community.general.seport:
ports: "{{ nginx_selinux_tcp_ports }}"
proto: tcp
setype: http_port_t
state: present
when: nginx_selinux_tcp_ports is defined
2020-09-19 17:32:17 +02:00
- name: Allow SELinux UDP connections on specific ports
community.general.seport:
ports: "{{ nginx_selinux_udp_ports }}"
proto: udp
setype: http_port_t
state: present
when: nginx_selinux_udp_ports is defined
2020-09-19 17:32:17 +02:00
- name: Create SELinux NGINX Plus module
ansible.builtin.template:
src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
2020-09-15 21:27:06 +02:00
dest: "{{ nginx_selinux_tempdir }}/nginx-plus-module.te"
mode: 0644
register: nginx_selinux_module
2020-09-19 17:32:17 +02:00
- name: Check SELinux NGINX Plus module
ansible.builtin.command: "checkmodule -M -m -o {{ nginx_selinux_tempdir }}/nginx-plus-module.mod {{ nginx_selinux_tempdir }}/nginx-plus-module.te"
args:
2020-09-15 21:27:06 +02:00
creates: "{{ nginx_selinux_tempdir }}/nginx-plus-module.mod"
changed_when: false
2020-09-19 17:32:17 +02:00
- name: Compile SELinux NGINX Plus module
ansible.builtin.command: "semodule_package -o {{ nginx_selinux_tempdir }}/nginx-plus-module.pp -m {{ nginx_selinux_tempdir }}/nginx-plus-module.mod"
args:
2020-09-15 21:27:06 +02:00
creates: "{{ nginx_selinux_tempdir }}/nginx-plus-module.pp"
changed_when: false
2020-09-19 17:32:17 +02:00
- name: Import SELinux NGINX Plus module
ansible.builtin.command: "semodule -i {{ nginx_selinux_tempdir }}/nginx-plus-module.pp" # noqa no-handler
changed_when: false
2020-09-15 21:27:06 +02:00
when: nginx_selinux_module.changed | bool
2020-09-19 17:32:17 +02:00
- name: Set SELinux mode to enforcing
ansible.builtin.selinux:
state: enforcing
policy: targeted
when: nginx_selinux_enforcing | bool