LogDenial and Selinux

mpagot · mpagot · commit fd8bea69458b · 2025-12-11T17:24:57.000+01:00
diff --git a/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml b/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml
@@ -7,6 +7,13 @@
     enabled: yes
   tags: sap_hana_install_configure_firewall
 
+- name: SAP HANA Post Install - Set LogDenied to all in firewalld.conf
+  ansible.builtin.lineinfile:
+    path: /etc/firewalld/firewalld.conf
+    regexp: '^LogDenied=off'
+    line: 'LogDenied=all'
+  tags: sap_hana_install_configure_firewall
+
 - name: SAP HANA Post Install - Construct the argument list for 'firewall-cmd --add-port'
   ansible.builtin.set_fact:
     __sap_hana_install_fact_firewall_cmd_args:
@@ -69,3 +76,16 @@
   ansible.builtin.debug:
     var: __sap_hana_install_register_permanent_firewall_ports.stdout_lines
   tags: sap_hana_install_configure_firewall
+
+- name: SAP HANA Post Install - Add SELinux port labels
+  # Note: The 'semanage port' command uses a dash '-' to define port ranges,
+  #       e.g., 'semanage port -a -t sap_port_t -p tcp 30000-30010'
+  ansible.builtin.command: "semanage port -a -t sap_port_t -p {{ item.split('/')[1] }} {{ item.split('/')[0] }}"
+  loop: "{{ sap_hana_install_firewall[0].port }}"
+  when: sap_hana_install_firewall[0].state == 'enabled'
+  register: __sap_hana_install_register_semanage_ports
+  changed_when: __sap_hana_install_register_semanage_ports.rc == 0
+  failed_when:
+    - __sap_hana_install_register_semanage_ports.rc != 0
+    - "'Port is already defined' not in __sap_hana_install_register_semanage_ports.stderr"
+  tags: sap_hana_install_configure_firewall
