-
Notifications
You must be signed in to change notification settings - Fork 140
Expand file tree
/
Copy pathselinux_setup.yml
More file actions
191 lines (172 loc) · 5.29 KB
/
selinux_setup.yml
File metadata and controls
191 lines (172 loc) · 5.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
---
# SELinux setup tasks for LME - run early to ensure proper file labeling
- name: Load SELinux facts
import_tasks: selinux_vars.yml
- name: Detect if SELinux tooling is available
command: which getenforce
register: selinux_tooling
changed_when: false
failed_when: false
become: yes
- name: Set SELinux availability fact
set_fact:
selinux_available: "{{ selinux_tooling.rc == 0 }}"
- name: Get current SELinux mode
command: getenforce
register: getenforce_out
changed_when: false
failed_when: false
become: yes
when: selinux_available | default(false)
- name: Remember if SELinux was enforcing
set_fact:
selinux_was_enforcing: "{{ selinux_available | default(false) and (getenforce_out.stdout | default('') | trim) == 'Enforcing' }}"
- name: Display SELinux status
debug:
msg: |
SELinux Status:
- Available: {{ selinux_available | default(false) }}
- Current mode: {{ getenforce_out.stdout | default('N/A') }}
- Was enforcing: {{ selinux_was_enforcing | default(false) }}
when: debug_mode | default(false) | bool
# Install SELinux policy tools early
- name: Ensure SELinux policy tools are present
package:
name:
- policycoreutils
- policycoreutils-python-utils
- checkpolicy
- selinux-policy
- selinux-policy-targeted
- libselinux-utils
- container-selinux
state: present
become: yes
when:
- selinux_available | default(false)
- not (offline_mode | default(false))
- name: Skip SELinux policy tools installation in offline mode
debug:
msg: "Offline mode enabled - skipping SELinux policy tools installation (should be pre-installed)"
when:
- selinux_available | default(false)
- offline_mode | default(false)
- name: Ensure SELinux policy directory exists
file:
path: /etc/selinux/lme
state: directory
owner: root
group: root
mode: '0755'
become: yes
when: selinux_available | default(false)
# Deploy unified LME SELinux policy (container + nix/podman contexts)
- name: Deploy LME unified SELinux policy
copy:
src: selinux/lme_policy.te
dest: /etc/selinux/lme/lme_policy.te
owner: root
group: root
mode: '0644'
become: yes
when: selinux_available | default(false)
register: selinux_policy_deployed
- name: Deploy LME SELinux file contexts
copy:
src: selinux/lme_policy.fc
dest: /etc/selinux/lme/lme_policy.fc
owner: root
group: root
mode: '0644'
become: yes
when: selinux_available | default(false)
register: selinux_fc_deployed
- name: Compile SELinux module (lme_policy)
shell: |
set -e
cd /etc/selinux/lme
checkmodule -M -m -o lme_policy.mod lme_policy.te
# Try to include file contexts; if that fails, build a package without them
if ! semodule_package -o lme_policy.pp -m lme_policy.mod -f lme_policy.fc; then
echo "Warning: building SELinux module without file contexts" >&2
semodule_package -o lme_policy_no_fc.pp -m lme_policy.mod
fi
args:
executable: /bin/bash
become: yes
register: selinux_compile
when:
- selinux_available | default(false)
- selinux_active | default(false)
- selinux_policy_deployed.changed or selinux_fc_deployed.changed
- name: Debug SELinux compile result
debug:
var: selinux_compile
when: debug_mode | default(false) | bool and selinux_compile is defined
- name: Check if SELinux module already present (pre-load)
shell: semodule -l | grep -E "^lme_policy(\\s|$)" || true
args:
executable: /bin/bash
register: lme_policy_present_pre
changed_when: false
become: yes
when:
- selinux_available | default(false)
- selinux_active | default(false)
- name: Load SELinux module (lme_policy)
shell: |
set -e
cd /etc/selinux/lme
if [ -f lme_policy.pp ]; then
if semodule -i lme_policy.pp; then
exit 0
fi
fi
if [ -f lme_policy_no_fc.pp ]; then
semodule -i lme_policy_no_fc.pp
else
echo "No module package found to install" >&2
exit 1
fi
args:
executable: /bin/bash
become: yes
register: semodule_load
changed_when: semodule_load.rc == 0
when:
- selinux_available | default(false)
- selinux_active | default(false)
- selinux_compile.changed | default(false) or (lme_policy_present_pre.rc | default(1)) != 0
- name: Ensure SELinux module enabled (lme_policy)
command: semodule -e lme_policy
become: yes
when:
- selinux_available | default(false)
- selinux_active | default(false)
- name: Verify SELinux module loaded
shell: semodule -l | grep -E "^lme_policy(\\s|$)" || true
args:
executable: /bin/bash
register: lme_policy_present
changed_when: false
become: yes
when:
- selinux_available | default(false)
- selinux_active | default(false)
- name: Assert LME policy module present
assert:
that:
- lme_policy_present.rc == 0
fail_msg: "lme_policy module not loaded"
when:
- selinux_available | default(false)
- (getenforce_out.stdout | default('') | trim) != 'Disabled'
- name: Display SELinux module status
debug:
msg: |
SELinux Module Status:
- LME policy loaded: {{ 'Yes' if lme_policy_present.rc == 0 else 'No' }}
- Ready for Nix/Podman installation with proper contexts
when:
- debug_mode | default(false) | bool
- selinux_available | default(false)