ansible-role-nginx/tasks/prerequisites/setup-selinux.yml

111 lines
3.0 KiB
YAML
Raw Normal View History

---
2020-08-19 18:39:17 +02:00
- name: "(Setup: SELinux) Install Required CentOS/RHEL 6/7 Dependencies"
package:
name:
- policycoreutils-python
- setools
state: present
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version != "8"
2020-08-19 18:39:17 +02:00
- name: "(Setup: SELinux) Install Required CentOS/RHEL 8 Dependencies"
package:
name:
- selinux-policy-targeted
- libselinux-utils
- policycoreutils
state: present
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
- name: "(Setup: SELinux) Check if SELinux is Enabled"
debug:
msg: "You need to enable selinux, if it was disabled you need to reboot"
when: ansible_selinux is undefined
- name: "(Setup: SELinux) Setup Permissive SELinux"
selinux:
state: permissive
policy: targeted
changed_when: false
when: ansible_selinux.mode == "enforcing"
- name: "(Setup: SELinux) Allow HTTP Network Connection"
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
- name: "(Setup: SELinux) Allow HTTP Relay Connection"
seboolean:
name: httpd_can_network_relay
state: yes
persistent: yes
- name: "(Setup: SELinux) Allow Status Ports"
seport:
ports: "{{ nginx_status_port }}"
proto: tcp
setype: http_port_t
state: present
when: nginx_status_port is defined
- name: "(Setup: SELinux) Allow Rest API Ports"
seport:
ports: "{{ nginx_rest_api_port }}"
proto: tcp
setype: http_port_t
state: present
2020-07-23 21:03:26 +02:00
when: nginx_rest_api_port is defined
- name: "(Setup: SELinux) Allow Specific TCP Ports"
seport:
ports: "{{ nginx_selinux_tcp_ports }}"
proto: tcp
setype: http_port_t
state: present
when: nginx_selinux_tcp_ports is defined
- name: "(Setup: SELinux) Allow Specific UDP Ports"
seport:
ports: "{{ nginx_selinux_udp_ports }}"
proto: udp
setype: http_port_t
state: present
when: nginx_selinux_udp_ports is defined
- name: "(Setup: SELinux) Create NGINX Plus Module"
template:
src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
dest: "{{ nginx_tempdir }}/nginx-plus-module.te"
mode: 0644
register: nginx_selinux_module
- name: "(Setup: SELinux) Check NGINX Plus Module"
command: "checkmodule -M -m -o {{ nginx_tempdir }}/nginx-plus-module.mod {{ nginx_tempdir }}/nginx-plus-module.te"
args:
creates: "{{ nginx_tempdir }}/nginx-plus-module.mod"
changed_when: false
- name: "(Setup: SELinux) Compile NGINX Plus Module"
command: "semodule_package -o {{ nginx_tempdir }}/nginx-plus-module.pp -m {{ nginx_tempdir }}/nginx-plus-module.mod"
args:
creates: "{{ nginx_tempdir }}/nginx-plus-module.pp"
changed_when: false
- name: "(Setup: SELinux) Import NGINX Plus Module"
command: "semodule -i {{ nginx_tempdir }}/nginx-plus-module.pp" # noqa 503
changed_when: false
when: nginx_selinux_module.changed
- name: "(Setup: SELinux) Enforce SELinux"
selinux:
state: enforcing
policy: targeted
changed_when: false
when:
- nginx_selinux_enforcing
- ansible_selinux.mode == "permissive"