2020-06-30 18:59:53 +02:00
|
|
|
---
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: (CentOS/RHEL) Install dependencies
|
2020-09-15 21:27:06 +02:00
|
|
|
block:
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: (CentOS/RHEL 6/7) Install dependencies
|
2020-09-15 21:27:06 +02:00
|
|
|
yum:
|
|
|
|
name:
|
|
|
|
- policycoreutils-python
|
|
|
|
- setools
|
|
|
|
when: ansible_facts['distribution_major_version'] is version('8', '!=')
|
2020-06-30 18:59:53 +02:00
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: (CentOS/RHEL 8) Install dependencies
|
2020-09-15 21:27:06 +02:00
|
|
|
yum:
|
|
|
|
name:
|
|
|
|
- libselinux-utils
|
|
|
|
- policycoreutils
|
|
|
|
- selinux-policy-targeted
|
|
|
|
when: ansible_facts['distribution_major_version'] is version('8', '==')
|
|
|
|
when: ansible_facts['os_family'] == "RedHat"
|
2020-06-30 18:59:53 +02:00
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Set SELinux mode to permissive
|
2020-06-30 18:59:53 +02:00
|
|
|
selinux:
|
|
|
|
state: permissive
|
|
|
|
policy: targeted
|
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Allow SELinux HTTP network connections
|
2020-06-30 18:59:53 +02:00
|
|
|
seboolean:
|
|
|
|
name: httpd_can_network_connect
|
2021-06-02 17:47:44 +02:00
|
|
|
state: true
|
|
|
|
persistent: true
|
2020-06-30 18:59:53 +02:00
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Allow SELinux HTTP network connections
|
2020-06-30 18:59:53 +02:00
|
|
|
seboolean:
|
|
|
|
name: httpd_can_network_relay
|
2021-06-02 17:47:44 +02:00
|
|
|
state: true
|
|
|
|
persistent: true
|
2020-06-30 18:59:53 +02:00
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: (DEPRECATED) Allow SELinux TCP connections on status ports
|
2020-06-30 18:59:53 +02:00
|
|
|
seport:
|
|
|
|
ports: "{{ nginx_status_port }}"
|
|
|
|
proto: tcp
|
|
|
|
setype: http_port_t
|
|
|
|
state: present
|
|
|
|
when: nginx_status_port is defined
|
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: (DEPRECATED) Allow SELinux TCP connections on Rest API ports
|
2020-06-30 18:59:53 +02:00
|
|
|
seport:
|
|
|
|
ports: "{{ nginx_rest_api_port }}"
|
|
|
|
proto: tcp
|
|
|
|
setype: http_port_t
|
|
|
|
state: present
|
2020-07-23 21:03:26 +02:00
|
|
|
when: nginx_rest_api_port is defined
|
2020-06-30 18:59:53 +02:00
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Allow SELinux TCP connections on specific ports
|
2020-06-30 18:59:53 +02:00
|
|
|
seport:
|
|
|
|
ports: "{{ nginx_selinux_tcp_ports }}"
|
|
|
|
proto: tcp
|
|
|
|
setype: http_port_t
|
|
|
|
state: present
|
|
|
|
when: nginx_selinux_tcp_ports is defined
|
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Allow SELinux UDP connections on specific ports
|
2020-06-30 18:59:53 +02:00
|
|
|
seport:
|
|
|
|
ports: "{{ nginx_selinux_udp_ports }}"
|
|
|
|
proto: udp
|
|
|
|
setype: http_port_t
|
|
|
|
state: present
|
|
|
|
when: nginx_selinux_udp_ports is defined
|
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Create SELinux NGINX Plus module
|
2020-06-30 18:59:53 +02:00
|
|
|
template:
|
|
|
|
src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
|
2020-09-15 21:27:06 +02:00
|
|
|
dest: "{{ nginx_selinux_tempdir }}/nginx-plus-module.te"
|
2020-08-28 10:30:23 +02:00
|
|
|
mode: 0644
|
2020-06-30 18:59:53 +02:00
|
|
|
register: nginx_selinux_module
|
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Check SELinux NGINX Plus module
|
2020-09-15 21:27:06 +02:00
|
|
|
command: "checkmodule -M -m -o {{ nginx_selinux_tempdir }}/nginx-plus-module.mod {{ nginx_selinux_tempdir }}/nginx-plus-module.te"
|
2020-06-30 18:59:53 +02:00
|
|
|
args:
|
2020-09-15 21:27:06 +02:00
|
|
|
creates: "{{ nginx_selinux_tempdir }}/nginx-plus-module.mod"
|
2020-06-30 18:59:53 +02:00
|
|
|
changed_when: false
|
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Compile SELinux NGINX Plus module
|
2020-09-15 21:27:06 +02:00
|
|
|
command: "semodule_package -o {{ nginx_selinux_tempdir }}/nginx-plus-module.pp -m {{ nginx_selinux_tempdir }}/nginx-plus-module.mod"
|
2020-06-30 18:59:53 +02:00
|
|
|
args:
|
2020-09-15 21:27:06 +02:00
|
|
|
creates: "{{ nginx_selinux_tempdir }}/nginx-plus-module.pp"
|
2020-06-30 18:59:53 +02:00
|
|
|
changed_when: false
|
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Import SELinux NGINX Plus module
|
2020-09-15 21:27:06 +02:00
|
|
|
command: "semodule -i {{ nginx_selinux_tempdir }}/nginx-plus-module.pp" # noqa 503
|
2020-06-30 18:59:53 +02:00
|
|
|
changed_when: false
|
2020-09-15 21:27:06 +02:00
|
|
|
when: nginx_selinux_module.changed | bool
|
2020-06-30 18:59:53 +02:00
|
|
|
|
2020-09-19 17:32:17 +02:00
|
|
|
- name: Set SELinux mode to enforcing
|
2020-06-30 18:59:53 +02:00
|
|
|
selinux:
|
|
|
|
state: enforcing
|
|
|
|
policy: targeted
|
2020-12-10 12:46:29 +01:00
|
|
|
when: nginx_selinux_enforcing | bool
|