From 1bcd77e306000ef300d5c32f2f6333237f52d0bd Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 19 Nov 2019 18:56:17 +0100 Subject: [PATCH] Give the option of managing some SELinux properties in the bootstrap tasks. --- library/centos/roles/basic-setup/defaults/main.yml | 5 +++++ library/centos/roles/basic-setup/tasks/main.yml | 12 +++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/library/centos/roles/basic-setup/defaults/main.yml b/library/centos/roles/basic-setup/defaults/main.yml index 0d9e6e88..968028d7 100644 --- a/library/centos/roles/basic-setup/defaults/main.yml +++ b/library/centos/roles/basic-setup/defaults/main.yml @@ -72,6 +72,11 @@ centos_hw_packages: - system-storage-manager centos_selinux_daemons_dump_core: False +selinux_policy_type: targeted +selinux_policy_state: enforcing +#selinux_booleans: +# - { name: '', state: '', persistent: no } +# - { name: '', state: '' } manage_root_ssh_keys: True diff --git a/library/centos/roles/basic-setup/tasks/main.yml b/library/centos/roles/basic-setup/tasks/main.yml index f4788d0f..8b4a35d8 100644 --- a/library/centos/roles/basic-setup/tasks/main.yml +++ b/library/centos/roles/basic-setup/tasks/main.yml @@ -112,7 +112,17 @@ - name: Configure selinux to permit core dumps by daemons seboolean: name=daemons_dump_core state=yes persistent=yes - when: centos_selinux_daemons_dump_core + when: centos_selinux_daemons_dump_core | bool + tags: [ 'centos', 'bootstrap', 'selinux' ] + +- name: Set other SELinux booleans. Optional + seboolean: name={{ item.name }} state={{ item.state }} persistent={{ item.persistent | default('yes') }} + with_items: '{{ selinux_booleans }}' + when: selinux_booleans is defined + tags: [ 'centos', 'bootstrap', 'selinux' ] + +- name: Set the SELinux global policy. Defaults to Enforcing + selinux: policy={{ selinux_policy_type }} state={{ selinux_policy_state }} tags: [ 'centos', 'bootstrap', 'selinux' ] - name: various pub ssh keys for users and apps