selinux enabled

Author: magicalyak

defaults/main.yml

@@ -87,3 +87,6 @@ log_policy_syslog_target: 127.0.0.1:514
 
 nginx_demo_workload_protocol: http://
 nginx_demo_workload_host: 10.1.1.1:8080
+
+# Enable enforcing selinux (you may need to open ports on your own)
+nginx_selinux: true

files/my-appprotect.te

@@ -0,0 +1,52 @@
+
+
+#============= audisp_t ==============
+
+#!!!! WARNING: 'unlabeled_t' is a base type.
+#!!!! The file '/etc/ld.so.cache' is mislabeled on your system.  
+#!!!! Fix with $ restorecon -R -v /etc/ld.so.cache
+allow audisp_t unlabeled_t:file { execute execute_no_trans getattr open };
+
+#============= httpd_t ==============
+allow httpd_t faillog_t:file { open read };
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t http_cache_port_t:tcp_socket name_connect;
+allow httpd_t httpd_config_t:file write;
+allow httpd_t httpd_initrc_exec_t:sock_file write;
+allow httpd_t httpd_log_t:file write;
+allow httpd_t httpd_sys_rw_content_t:fifo_file { getattr ioctl open read write };
+allow httpd_t httpd_var_run_t:fifo_file { getattr ioctl open read write };
+allow httpd_t httpd_var_run_t:file { execute execute_no_trans };
+
+#!!!! The file '/opt/app_protect/pipe/app_protect_plugin_socket' is mislabeled on your system.  
+#!!!! Fix with $ restorecon -R -v /opt/app_protect/pipe/app_protect_plugin_socket
+allow httpd_t initrc_t:unix_stream_socket connectto;
+allow httpd_t lastlog_t:file { open read write };
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t memcache_port_t:tcp_socket name_connect;
+allow httpd_t security_t:security compute_av;
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t self:capability audit_write;
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t self:netlink_audit_socket nlmsg_relay;
+allow httpd_t self:netlink_selinux_socket { bind create };
+allow httpd_t self:passwd passwd;
+allow httpd_t systemd_logind_t:dbus send_msg;
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t unreserved_port_t:tcp_socket { name_bind name_connect };
+allow httpd_t usr_t:dir { create rmdir };
+
+#!!!! WARNING: 'usr_t' is a base type.
+allow httpd_t usr_t:file { create rename setattr unlink write };
+
+#!!!! WARNING: 'usr_t' is a base type.
+allow httpd_t usr_t:sock_file write;
+allow httpd_t var_log_t:file { open read write };
+
+#============= systemd_logind_t ==============
+allow systemd_logind_t httpd_t:dbus send_msg;

tasks/prerequisites/setup-centos.yml

@@ -4,7 +4,10 @@
     name: ca-certificates, epel-release
     state: present
 
-# TODO: make this surgical rather than disabling SELinux globally
-- name: Disable SELinux
+- name: "(Install: CentOS) Disable SELinux"
   selinux:
-    state: disabled
+    state: permissive
+
+- name: "(Install: CentOS) Setup SELinux"
+  import_tasks: setup-selinux.yml
+  when: nginx_selinux

tasks/prerequisites/setup-selinux.yml

@@ -0,0 +1,106 @@
+---
+- name: "(Install: SELinux) Install Required CentOS Dependencies"
+  package:
+    name: policycoreutils-python, setools
+    state: present
+
+- name: "(Install: SELinux: Booleans) Allow HTTP network connection"
+  seboolean:
+    name: httpd_can_network_connect
+    state: yes
+    persistent: yes
+
+- name: "(Install: SELinux: Booleans) Allow HTTP relay connection"
+  seboolean:
+    name: httpd_can_network_relay
+    state: yes
+    persistent: yes
+
+- name: "(Install: SELinux: Booleans) Allow HTTP mod auth pam"
+  seboolean:
+    name: httpd_mod_auth_pam
+    state: yes
+    persistent: yes
+
+- name: "(Install: SELinux: Booleans) enable NIS"
+  seboolean:
+    name: nis_enabled
+    state: yes
+    persistent: yes
+
+- name: "(Install: SELinux: Contexts) App Protect Logs"
+  sefcontext:
+    target: '/var/log/app_protect(/.*)?'
+    setype: httpd_log_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Opt"
+  sefcontext:
+    target: '/opt/app_protect(/.*)?'
+    setype: httpd_var_run_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Pipe"
+  sefcontext:
+    target: '/opt/app_protect/pipe(/.*)?'
+    setype: httpd_initrc_exec_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Config"
+  sefcontext:
+    target: '/opt/app_protect/config(/.*)?'
+    setype: httpd_config_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect bin"
+  sefcontext:
+    target: '/opt/app_protect/bin(/.*)?'
+    setype: httpd_exec_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect lock"
+  sefcontext:
+    target: '/opt/app_protect/lock(/.*)?'
+    setype: httpd_lock_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Temp"
+  sefcontext:
+    target: '/opt/app_protect/temp(/.*)?'
+    setype: httpd_tmp_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Tmp"
+  sefcontext:
+    target: '/opt/app_protect/tmp(/.*)?'
+    setype: httpd_tmp_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) Apply contexts to opt"
+  command: restorecon -iRv /opt/app_protect
+
+- name: "(Install: SELinux: Contexts) Apply contexts to log"
+  command: restorecon -iRv /var/log/app_protect
+
+- name: "(Install: SELinux: Custom) Copy custom policy"
+  copy:
+    src: "{{ role_path }}/files/my-appprotect.te"
+    dest: /tmp/my-appprotect.te
+
+- name: "(Install: SELinux: Custom) Convert custom policy"
+  command: checkmodule -M -m -o /tmp/my-appprotect.mod /tmp/my-appprotect.te
+
+- name: "(Install: SELinux: Custom) Compile custom policy"
+  command: semodule_package -o /tmp/my-appprotect.pp -m /tmp/my-appprotect.mod
+
+- name: "(Install: SELinux: Custom) Apply custom policy"
+  command: semanage -i /tmp/my-appprotect.pp
+
+- name: "(Install: SELinux: Custom) Remove temporary files"
+  file:
+    path: /tmp/my-appprotect.*
+    state: absent
+
+- name: "(Install: SELinux) Enforce SELinux"
+  selinux:
+    state: enforcing