diff options
| author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
|---|---|---|
| committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
| commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
| tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/selinux_policy | |
| download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip | |
initial commit
Diffstat (limited to 'roles/selinux_policy')
| -rw-r--r-- | roles/selinux_policy/tasks/main.yml | 44 | ||||
| -rw-r--r-- | roles/selinux_policy/vars/main.yml | 1 |
2 files changed, 45 insertions, 0 deletions
diff --git a/roles/selinux_policy/tasks/main.yml b/roles/selinux_policy/tasks/main.yml new file mode 100644 index 0000000..0ec008b --- /dev/null +++ b/roles/selinux_policy/tasks/main.yml @@ -0,0 +1,44 @@ +- name: create custom SELinux module directory + file: + path: '{{ selinux_policy_custom_dir }}' + state: directory + +- name: create SELinux type-enforcement file + copy: + content: | + module {{ selinux_policy_name }} {{ selinux_policy_version | default('1.0') }}; + + {{ selinux_policy_te }} + dest: '{{ selinux_policy_custom_dir }}/{{ selinux_policy_name }}.te' + register: selinux_te_file + +- name: check if SELinux policy is loaded + shell: semodule -l | grep -q {{ selinux_policy_name }} + changed_when: false + failed_when: false + register: se_policy_loaded + +- name: compile and load SELinux module + block: + - name: unload SELinux module + command: semodule -r {{ selinux_policy_name }} + when: se_policy_loaded.rc == 0 + + - name: compile SELinux module + command: checkmodule -M -m -o {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.mod {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.te + + - name: build SELinux policy package + command: semodule_package -o {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.pp -m {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.mod + + - name: load SELinux module + command: semodule -i {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.pp + + - name: clean up build artifacts + file: + path: '{{ selinux_policy_custom_dir }}/{{ selinux_policy_name }}.{{ item }}' + state: absent + loop: + - mod + - pp + + when: selinux_te_file.changed or se_policy_loaded.rc != 0 diff --git a/roles/selinux_policy/vars/main.yml b/roles/selinux_policy/vars/main.yml new file mode 100644 index 0000000..d6c8c33 --- /dev/null +++ b/roles/selinux_policy/vars/main.yml @@ -0,0 +1 @@ +selinux_policy_custom_dir: /etc/selinux/custom |