Streamline configuring SELinux (#239)

Author: alessfg

CHANGELOG.md

@@ -11,6 +11,7 @@ ENHANCEMENTS:
 * Bump the Ansible `community.general` collection to `4.6.1` and `community.docker` collection to `2.2.1`.
 * Add labels to loops in `tasks/config/template-config.yml` to reduce amount of output data.
 * Add the `map` and `split_clients` directives into the `http` core template.
+* Streamline configuring SELinux.
 
 BUG FIXES:
 

defaults/main/selinux.yml

@@ -1,12 +1,15 @@
 ---
 # Set SELinux enforcing for NGINX (Centos/Redhat only) - you may need to open ports on your own
 nginx_config_selinux: false
+
 # Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_config_selinux: true)
 nginx_config_selinux_enforcing: true
+
 # List of TCP ports to add to http_port_t type (80 and 443 have this type already)
 # nginx_config_selinux_tcp_ports:
 #   - 80
 #   - 443
+
 # List of UDP ports to add to http_port_t type
 # nginx_config_selinux_udp_ports:
 #   - 80

tasks/prerequisites/setup-selinux.yml

@@ -1,20 +1,10 @@
 ---
 - name: (CentOS/RHEL) Install dependencies
-  block:
-    - name: (CentOS/RHEL 6/7) Install dependencies
-      ansible.builtin.yum:
-        name:
-          - policycoreutils-python
-          - setools
-      when: ansible_facts['distribution_major_version'] is version('8', '!=')
-
-    - name: (CentOS/RHEL 8) Install dependencies
-      ansible.builtin.yum:
-        name:
-          - libselinux-utils
-          - policycoreutils
-          - selinux-policy-targeted
-      when: ansible_facts['distribution_major_version'] is version('8', '==')
+  ansible.builtin.yum:
+    name:
+      - libselinux-utils
+      - policycoreutils
+      - selinux-policy-targeted
   when: ansible_facts['os_family'] == "RedHat"
 
 - name: Set SELinux mode to permissive
@@ -25,42 +15,39 @@
 
 - name: Allow SELinux HTTP network connections
   ansible.posix.seboolean:
-    name: httpd_can_network_connect
-    state: true
-    persistent: true
-
-- name: Allow SELinux HTTP network connections
-  ansible.posix.seboolean:
-    name: httpd_can_network_relay
+    name: "{{ item }}"
     state: true
     persistent: true
+  loop:
+    - httpd_can_network_connect
+    - httpd_can_network_relay
 
 - name: Allow SELinux TCP connections on status ports
-  community.general.selinux:
+  community.general.seport:
     ports: "{{ nginx_config_status_port }}"
     proto: tcp
     setype: http_port_t
     state: present
   when: nginx_config_status_port is defined
 
 - name: Allow SELinux TCP connections on Rest API ports
-  community.general.selinux:
+  community.general.seport:
     ports: "{{ nginx_config_rest_api_port }}"
     proto: tcp
     setype: http_port_t
     state: present
   when: nginx_config_rest_api_port is defined
 
 - name: Allow SELinux TCP connections on specific ports
-  community.general.selinux:
+  community.general.seport:
     ports: "{{ nginx_config_selinux_tcp_ports }}"
     proto: tcp
     setype: http_port_t
     state: present
   when: nginx_config_selinux_tcp_ports is defined
 
 - name: Allow SELinux UDP connections on specific ports
-  community.general.selinux:
+  community.general.seport:
     ports: "{{ nginx_config_selinux_udp_ports }}"
     proto: udp
     setype: http_port_t