Merge pull request #8 from magicalyak/selinux

Selinux Upgrades

Author: aknot242

defaults/main.yml

@@ -15,6 +15,9 @@ app_protect_state: present
 # Enable enforcing selinux (you may need to open ports on your own)
 app_protect_selinux: false
 
+# Enable enforcing mode if true.  Permissive if false (audit only, no enforcing) globally (only works with app_protect_selinux: true)
+app_protect_selinux_enforcing: true
+
 # The installation of NGINX App Protect includes a base signature set, which may be out of date. 
 # This option installs the latest NGINX App Protect signatures.
 app_protect_install_signatures: true
@@ -29,6 +32,12 @@ app_protect_delete_license: true
 # Default is true.
 nginx_start: true
 
+# Increase NGINX service timeout to accomdate ruleset loading from default 90s
+nginx_timeout: 180
+
+# App Protect Temporary Directory to use (Default: /tmp)
+app_protect_tempdir: /tmp
+
 # Choose where to fetch the NGINX App Protect signing key from.
 # Default is the official NGINX App Protect signing key host.
 # app_protect_signing_key: https://cs.nginx.com/static/keys/app-protect.key

handlers/main.yml

@@ -1,5 +1,9 @@
 ---
 # handlers file for ansible-role-nginx-app-protect
+- name: "(Handler: All OSs) Check NGINX"
+  command: "nginx -t"
+  changed_when: false
+
 - name: "(Handler: All OSs) Run NGINX"
   block:
 
@@ -8,11 +12,13 @@
         name: nginx
         state: started
         enabled: true
+      notify: "(Handler: All OSs) Check NGINX"
 
     - name: "(Handler: All OSs) Restart NGINX"
       service:
         name: nginx
         state: restarted
+      changed_when: false
 
   when:
     - nginx_start | bool

molecule/default/converge.yml

@@ -13,7 +13,7 @@
     log_policy_syslog_target: 10.1.10.105:5144
     nginx_demo_workload_protocol: http://
     nginx_demo_workload_host: 10.1.10.105:8080
-    nginx_license: 
+    nginx_license:
       certificate: "./license/nginx-repo.crt"
       key: "./license/nginx-repo.key"
 

tasks/configure-app-protect.yml

@@ -11,6 +11,7 @@
     dest: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}.orig"
     remote_src: true
   when: nginx_conf_template_enable
+  changed_when: false
 
 - name: "Dynamically Generate NGINX App Protect security policy file"
   template:
@@ -56,4 +57,4 @@
   debug:
     msg: "trigger nginx reload if needed"
   notify: "(Handler: All OSs) Restart NGINX"
-  changed_when: app_protect_security_policy_template_enable or app_protect_log_policy_template_enable or nginx_conf_template_enable
+  when: app_protect_security_policy_template_enable or app_protect_log_policy_template_enable or nginx_conf_template_enable

tasks/prerequisites/setup-selinux.yml renamed to tasks/configure-selinux.yml

@@ -4,11 +4,17 @@
     name: policycoreutils-python, setools
     state: present
 
+- name: "(Install: SELinux) Check for SELinux enabled"
+  debug:
+    msg: "You need to enable selinux, if it was disabled you need to reboot"
+  when: ansible_selinux is undefined
+
 - name: "(Install: SELinux) Permissive SELinux"
   selinux:
     state: permissive
     policy: targeted
-  when: app_protect_selinux
+  changed_when: false
+  when: ansible_selinux.mode == "enforcing"
 
 - name: "(Install: SELinux: Booleans) Allow HTTP network connection"
   seboolean:
@@ -84,21 +90,46 @@
 
 - name: "(Install: SELinux: Contexts) Apply contexts to opt"
   command: restorecon -iRv /opt/app_protect
-
+  changed_when: false
+
+- name: "(Install: SELinux: Contexts) Apply permissions to opt/config"
+  file:
+    path: /opt/app_protect/config
+    owner: nginx
+    group: nginx
+    mode: u=rwx,go=rx,g+s
+    state: directory
+  
 - name: "(Install: SELinux: Contexts) Apply contexts to log"
   command: restorecon -iRv /var/log/app_protect
+  changed_when: false
+
+- name: "(Install: SELinux: Module) Create NGINX Plus App Protect Module"
+  template:
+    src: nginx-plus-module-appprotect.te.j2
+    dest: "{{ app_protect_tempdir }}/nginx-plus-module-appprotect.te"
+  register: app_protect_module
+
+- name: "(Install: SELinux: Module) Check NGINX Plus App Protect Module"
+  command: "checkmodule -M -m -o {{ app_protect_tempdir }}/nginx-plus-module-appprotect.mod {{ app_protect_tempdir }}/nginx-plus-module-appprotect.te"
+  args:
+    creates: "{{ app_protect_tempdir }}/nginx-plus-module-appprotect.mod"
+  changed_when: false
 
-- name: "(Install: SELinux: Custom) Generate policy"
-  shell:
-    cmd: cat /var/log/audit/audit.log | audit2allow -M local
-    chdir: /tmp/
+- name: "(Install: SELinux: Module) Compile NGINX Plus App Protect Module"
+  command: "semodule_package -o {{ app_protect_tempdir }}/nginx-plus-module-appprotect.pp -m {{ app_protect_tempdir }}/nginx-plus-module-appprotect.mod"
   args:
-    executable: /bin/bash
+    creates: "{{ app_protect_tempdir }}/nginx-plus-module-appprotect.pp"
+  changed_when: false
 
-- name: "(Install: SELinux: Custom) Apply local policy"
-  command: semodule -i /tmp/local.pp
+- name: "(Install: SELinux: Module) Import NGINX Plus App Protect Module"  # noqa 503
+  command: "semodule -i {{ app_protect_tempdir }}/nginx-plus-module-appprotect.pp"
+  changed_when: false
+  when: app_protect_module.changed
 
 - name: "(Install: SELinux) Enforce SELinux"
   selinux:
     state: enforcing
     policy: targeted
+  changed_when: false
+  when: app_protect_selinux_enforcing and ansible_selinux.mode == "permissive"

tasks/install-app-protect.yml

@@ -21,5 +21,21 @@
     success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     quiet: true
 
+- name: "(Install: Linux) Create override for NGINX Plus service"
+  file:
+    path: /etc/systemd/system/nginx.service.d
+    state: directory
+    mode: '0755'
+  when: nginx_timeout is defined
+
+- name: "(Install: Linux) Increase timeout for NGINX Plus Service"
+  template:
+    src: nginx.service.override.conf.j2
+    dest: /etc/systemd/system/nginx.service.d/override.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when: nginx_timeout is defined
+
 - name: "(Install: Linux) Install NGINX Plus"
   import_tasks: install-app-protect-linux.yml

tasks/main.yml

@@ -34,7 +34,7 @@
 - name: "Install NGINX App Protect"
   block:
 
-    - include_tasks: prerequisites/install-prerequisites.yml
+    - import_tasks: "prerequisites/install-prerequisites.yml"
       tags: nginx_prerequisites
 
     - import_tasks: keys/apt-key.yml
@@ -72,6 +72,12 @@
 
   when: app_protect_state != "absent"
 
+- name: "(Install: CentOS) Setup SELinux"
+  include_tasks: "{{ role_path }}/tasks/configure-selinux.yml"
+  when: 
+    - app_protect_selinux
+    - ansible_os_family == "RedHat"
+
 - name: "Remove NGINX App Protect"
   block:
 

tasks/prerequisites/setup-centos.yml

@@ -3,7 +3,3 @@
   package:
     name: ca-certificates, epel-release
     state: present
-
-- name: "(Install: CentOS) Setup SELinux"
-  import_tasks: setup-selinux.yml
-  when: app_protect_selinux

templates/nginx-plus-module-appprotect.te.j2

@@ -0,0 +1,73 @@
+module nginx-plus-module-appprotect 1.0;
+
+require {
+        type faillog_t;
+        type httpd_t;
+        type httpd_initrc_exec_t;
+        type httpd_log_t;
+        type http_cache_port_t;
+        type httpd_config_t;
+        type httpd_var_run_t;
+        type lastlog_t;
+        type initrc_t;
+        type usr_t;
+        type security_t;
+        type shadow_t;
+        type systemd_logind_t;
+        type systemd_logind_sessions_t;
+        type unreserved_port_t;
+        type var_log_t;
+        type var_run_t;
+        
+        class capability { audit_write net_admin };
+        class dbus send_msg;
+        class dir { add_name create remove_name write }; 
+        class fifo_file { getattr ioctl open read write };
+        class file { create execute getattr read rename open setattr unlink write};
+        class netlink_selinux_socket { create bind };
+        class netlink_audit_socket { create nlmsg_relay read write };
+        class passwd passwd;
+        class security compute_av;
+        class sock_file write;
+        class tcp_socket name_connect;
+        class unix_stream_socket connectto;
+}
+
+#============= httpd_t ==============
+allow httpd_t httpd_log_t:file write;
+allow httpd_t httpd_config_t:file write;
+allow httpd_t http_cache_port_t:tcp_socket name_connect;
+allow httpd_t httpd_var_run_t:file execute;
+
+allow httpd_t httpd_initrc_exec_t:fifo_file { getattr ioctl open read write };
+
+allow httpd_t lastlog_t:file { open read write };
+
+allow httpd_t faillog_t:file { write read open };
+
+allow httpd_t initrc_t:unix_stream_socket connectto;
+
+allow httpd_t unreserved_port_t:tcp_socket name_connect;
+
+allow httpd_t usr_t:dir { add_name create remove_name write };
+allow httpd_t usr_t:file { create rename setattr unlink write };
+allow httpd_t usr_t:sock_file write;
+
+
+allow httpd_t security_t:security compute_av;
+
+allow httpd_t self:netlink_selinux_socket {create bind };
+allow httpd_t self:netlink_audit_socket { create nlmsg_relay read write };
+allow httpd_t self:passwd passwd;
+allow httpd_t self:capability { audit_write net_admin };
+
+allow httpd_t shadow_t:file { read write open getattr };
+
+allow httpd_t systemd_logind_sessions_t:fifo_file write;
+allow httpd_t systemd_logind_t:dbus send_msg;
+
+allow httpd_t var_log_t:file { open read };
+allow httpd_t var_run_t:file { read write };
+
+#============= systemd_logind_t ==============
+allow systemd_logind_t httpd_t:dbus send_msg;

templates/nginx.service.override.conf.j2

@@ -0,0 +1,3 @@
+[Service]
+# Override default 90 second timeout
+TimeoutStopSec={{ nginx_timeout }}