Add support for enabling SELinux on RHEL based systems (#180)

Author: alessfg

CHANGELOG.md

@@ -11,7 +11,8 @@ BREAKING CHANGES:
 
 FEATURES:
 
-Rename all modules to use the fully qualified collection name (FQCN) per Ansible guidelines.
+* Add support for enabling SELinux on RHEL based systems, and tweak it by default when installing NGINX App Protect DoS to avoid SELinux misconfiguration issues.
+* Rename all modules to use the fully qualified collection name (FQCN) per Ansible guidelines.
 
 ENHANCEMENTS:
 

README.md

@@ -27,11 +27,11 @@ If you wish to install NGINX App Protect WAF or NGINX App Protect DoS using this
     ---
     collections:
       - name: community.general
-        version: 4.4.0
+        version: 4.6.0
       - name: ansible.posix
         version: 1.3.0
       - name: community.docker  # Only required if you plan to use Molecule (see below)
-        version: 2.1.1
+        version: 2.2.1
     ```
 
     **Note:** You can alternatively install the Ansible community distribution (what is known as the "old" Ansible) if you don't want to manage individual collections.

defaults/main.yml

@@ -110,3 +110,32 @@ nginx_app_protect_log_policy_file_enable: false
 nginx_app_protect_log_policy_file:
   - src: files/config/log-policy.json
     dest: /etc/app_protect/conf/log-policy.json
+
+# Set SELinux enforcing for NGINX (CentOS/Red Hat only) - you may need to open ports on your own
+nginx_app_protect_selinux: false
+
+# Enable enforcing mode if true.  Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true)
+nginx_app_protect_selinux_enforcing: true
+
+# List of TCP ports to add to http_port_t type (80 and 443 have this type already)
+# nginx_app_protect_selinux_tcp_ports:
+#   - 80
+#   - 443
+
+# List of TCP ports to add to syslog_port_t type (80 and 443 have this type already)
+# nginx_app_protect_selinux_syslog_tcp_ports:
+#   - 1514
+#   - 5144
+
+# List of UDP ports to add to http_port_t type
+# nginx_app_protect_selinux_udp_ports:
+#   - 80
+#   - 443
+
+# List of UDP ports to add to syslog_port_t type
+# nginx_app_protect_selinux_syslog_udp_ports:
+#   - 1514
+#   - 5144
+
+# Temporary directory to hold selinux modules
+nginx_app_protect_selinux_tempdir: /tmp

molecule/advanced/converge.yml

@@ -10,6 +10,6 @@
           certificate: license/nginx-repo.crt
           key: license/nginx-repo.key
         nginx_app_protect_remove_license: false
-        nginx_app_protect_install_signatures: true
-        nginx_app_protect_install_threat_campaigns: true
+        nginx_app_protect_waf_install_signatures: true
+        nginx_app_protect_waf_install_threat_campaigns: true
         nginx_app_protect_timeout: 180

molecule/default/converge.yml

@@ -28,8 +28,8 @@
           key: license/nginx-repo.key
         nginx_app_protect_use_rhel_subscription_repos: "{{ rhel_subscription }}"
         nginx_app_protect_remove_license: false
-        nginx_app_protect_install_signatures: true
-        nginx_app_protect_install_threat_campaigns: true
+        nginx_app_protect_waf_install_signatures: true
+        nginx_app_protect_waf_install_threat_campaigns: true
         nginx_app_protect_configure: true
         nginx_app_protect_security_policy_file_enable: true
         nginx_app_protect_security_policy_file:

tasks/common/install/service-modification.yml

@@ -9,7 +9,7 @@
 
     - name: Increase timeout for NGINX Plus service
       ansible.builtin.template:
-        src: nginx.service.override.conf.j2
+        src: services/nginx.service.override.conf.j2
         dest: /etc/systemd/system/nginx.service.d/override.conf
         owner: root
         group: root

tasks/common/prerequisites/install-dependencies.yml

@@ -17,7 +17,7 @@
     - name: (Amazon Linux/CentOS/RHEL) Import EPEL GPG key
       ansible.builtin.rpm_key:
         state: present
-        key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ((ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version)) }}
+        key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version) }}
 
     - name: (Amazon Linux/CentOS/RHEL) Install package dependencies
       ansible.builtin.yum:
@@ -55,6 +55,11 @@
         - not nginx_app_protect_use_rhel_subscription_repos | bool
         - nginx_app_protect_dos_enable | bool
 
+    - name: (RHEL) Enable RHEL subscription manager repos management
+      ansible.builtin.command: "subscription-manager config --rhsm.manage_repos=1"
+      changed_when: false
+      when: nginx_app_protect_use_rhel_subscription_repos | bool
+
     - name: (RHEL 7) Set up RHEL dependencies from RHEL official repositories
       community.general.rhsm_repository:
         name:

tasks/common/prerequisites/prerequisites.yml

@@ -0,0 +1,19 @@
+---
+- name: Install dependencies
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/prerequisites/install-dependencies.yml"
+
+- name: Set up SELinux
+  block:
+    - name: Check if SELinux is enabled
+      ansible.builtin.debug:
+        msg: You need to enable SELinux, if it was disabled you need to reboot
+      when: ansible_facts['selinux'] is undefined
+
+    - name: Configure SELinux
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/prerequisites/setup-selinux.yml"
+      when: ansible_facts['selinux']['mode'] is defined
+  when:
+    - nginx_app_protect_selinux | bool or (nginx_app_protect_dos_enable | bool and nginx_app_protect_dos_setup == "install")
+    - "'selinux' in ansible_facts"
+    - ansible_facts['os_family'] in ['RedHat', 'Suse']
+    - ansible_facts['distribution'] not in ['Amazon', 'OracleLinux']

tasks/common/prerequisites/setup-selinux.yml

@@ -0,0 +1,84 @@
+---
+- name: (CentOS/RHEL) Install dependencies
+  ansible.builtin.yum:
+    name:
+      - libselinux-utils
+      - policycoreutils
+      - selinux-policy-targeted
+  when: ansible_facts['os_family'] == "RedHat"
+
+- name: Set SELinux mode to permissive
+  ansible.posix.selinux:
+    state: permissive
+    policy: targeted
+
+- name: Allow SELinux HTTP network connections
+  ansible.posix.seboolean:
+    name: "{{ item }}"
+    state: true
+    persistent: true
+  loop:
+    - httpd_can_network_connect
+    - httpd_can_network_relay
+
+- name: Allow SELinux TCP HTTP connections on specific ports
+  community.general.seport:
+    ports: "{{ nginx_app_protect_selinux_tcp_ports }}"
+    proto: tcp
+    setype: http_port_t
+    state: present
+  when: nginx_app_protect_selinux_tcp_ports is defined
+
+- name: Allow SELinux TCP Syslog connections on specific ports
+  community.general.seport:
+    ports: "{{ nginx_app_protect_selinux_syslog_tcp_ports }}"
+    proto: tcp
+    setype: syslogd_port_t
+    state: present
+  when: nginx_app_protect_selinux_syslog_tcp_ports is defined
+
+- name: Allow SELinux UDP HTTP connections on specific ports
+  community.general.seport:
+    ports: "{{ nginx_app_protect_selinux_udp_ports }}"
+    proto: udp
+    setype: http_port_t
+    state: present
+  when: nginx_app_protect_selinux_udp_ports is defined
+
+- name: Allow SELinux TCP Syslog connections on specific ports
+  community.general.seport:
+    ports: "{{ nginx_app_protect_selinux_syslog_tcp_ports }}"
+    proto: udp
+    setype: syslogd_port_t
+    state: present
+  when: nginx_app_protect_selinux_syslog_udp_ports is defined
+
+- name: Create SELinux NGINX App Protect module
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/selinux/nginx-app-protect-module.te.j2"
+    dest: "{{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.te"
+    mode: 0644
+  register: nginx_app_protect_selinux_module
+
+- name: Check SELinux NGINX App Protect module
+  ansible.builtin.command: "checkmodule -M -m -o {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.mod {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.te"
+  args:
+    creates: "{{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.mod"
+  changed_when: false
+
+- name: Compile SELinux NGINX App Protect module
+  ansible.builtin.command: "semodule_package -o {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.pp -m {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.mod"
+  args:
+    creates: "{{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.pp"
+  changed_when: false
+
+- name: Import SELinux NGINX App Protect module
+  ansible.builtin.command: "semodule -i {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.pp"  # noqa no-handler
+  changed_when: false
+  when: nginx_app_protect_selinux_module.changed | bool
+
+- name: Set SELinux mode to enforcing
+  ansible.posix.selinux:
+    state: enforcing
+    policy: targeted
+  when: nginx_app_protect_selinux_enforcing | bool

tasks/main.yml

@@ -25,7 +25,7 @@
   when: nginx_app_protect_log_policy_file_enable | bool
 
 - name: Install prerequisites
-  ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/prerequisites/install-dependencies.yml"
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/common/prerequisites/prerequisites.yml"
   when: nginx_app_protect_waf_enable | bool
         or nginx_app_protect_dos_enable | bool
   tags: nginx_app_protect_prerequisites