Merge pull request #5 from magicalyak/selinux

Selinux Enable

Author: aknot242

.gitignore

@@ -1 +1,38 @@
-.vscode/settings.json
+# OSX leaves these everywhere on SMB shares
+._*
+
+# OSX trash
+.DS_Store
+
+# Eclipse files
+.classpath
+.project
+.settings/**
+
+# Emacs save files
+*~
+\#*\#
+.\#*
+
+# Vim-related files
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+
+# NGINX Plus license files
+*.crt
+*.key
+
+# Visual Studio Code settings
+.vscode
+
+# Default certificate and key
+default.pem
+
+# IntelliJ IDEA
+.idea
+
+# Scratch Directory
+scratch/

defaults/main.yml

@@ -84,3 +84,6 @@ log_policy_syslog_target: 127.0.0.1:514
 
 nginx_demo_workload_protocol: http://
 nginx_demo_workload_host: 10.1.1.1:8080
+
+# Enable enforcing selinux (you may need to open ports on your own)
+nginx_selinux: false

tasks/prerequisites/setup-centos.yml

@@ -4,11 +4,6 @@
     name: ca-certificates, epel-release
     state: present
 
-# TODO: make this surgical rather than disabling SELinux globally
-- name: Disable SELinux
-  selinux:
-    state: disabled
-  when:
-    - ansible_selinux is defined
-    - ansible_selinux != false
-    - ansible_selinux.status == 'enabled'
+- name: "(Install: CentOS) Setup SELinux"
+  import_tasks: setup-selinux.yml
+  when: nginx_selinux

tasks/prerequisites/setup-selinux.yml

@@ -0,0 +1,104 @@
+---
+- name: "(Install: SELinux) Install Required CentOS Dependencies"
+  package:
+    name: policycoreutils-python, setools
+    state: present
+
+- name: "(Install: SELinux) Permissive SELinux"
+  selinux:
+    state: permissive
+    policy: targeted
+  when: nginx_selinux
+
+- name: "(Install: SELinux: Booleans) Allow HTTP network connection"
+  seboolean:
+    name: httpd_can_network_connect
+    state: yes
+    persistent: yes
+
+- name: "(Install: SELinux: Booleans) Allow HTTP relay connection"
+  seboolean:
+    name: httpd_can_network_relay
+    state: yes
+    persistent: yes
+
+- name: "(Install: SELinux: Booleans) Allow HTTP mod auth pam"
+  seboolean:
+    name: httpd_mod_auth_pam
+    state: yes
+    persistent: yes
+
+- name: "(Install: SELinux: Booleans) enable NIS"
+  seboolean:
+    name: nis_enabled
+    state: yes
+    persistent: yes
+
+- name: "(Install: SELinux: Contexts) App Protect Logs"
+  sefcontext:
+    target: '/var/log/app_protect(/.*)?'
+    setype: httpd_log_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Opt"
+  sefcontext:
+    target: '/opt/app_protect(/.*)?'
+    setype: httpd_var_run_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Pipe"
+  sefcontext:
+    target: '/opt/app_protect/pipe(/.*)?'
+    setype: httpd_initrc_exec_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Config"
+  sefcontext:
+    target: '/opt/app_protect/config(/.*)?'
+    setype: httpd_config_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect bin"
+  sefcontext:
+    target: '/opt/app_protect/bin(/.*)?'
+    setype: httpd_exec_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect lock"
+  sefcontext:
+    target: '/opt/app_protect/lock(/.*)?'
+    setype: httpd_lock_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Temp"
+  sefcontext:
+    target: '/opt/app_protect/temp(/.*)?'
+    setype: httpd_tmp_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) App Protect Tmp"
+  sefcontext:
+    target: '/opt/app_protect/tmp(/.*)?'
+    setype: httpd_tmp_t
+    state: present
+
+- name: "(Install: SELinux: Contexts) Apply contexts to opt"
+  command: restorecon -iRv /opt/app_protect
+
+- name: "(Install: SELinux: Contexts) Apply contexts to log"
+  command: restorecon -iRv /var/log/app_protect
+
+- name: "(Install: SELinux: Custom) Generate policy"
+  shell:
+    cmd: cat /var/log/audit/audit.log | audit2allow -M local
+    chdir: /tmp/
+  args:
+    executable: /bin/bash
+
+- name: "(Install: SELinux: Custom) Apply local policy"
+  command: semodule -i /tmp/local.pp
+
+- name: "(Install: SELinux) Enforce SELinux"
+  selinux:
+    state: enforcing
+    policy: targeted