From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/selinux_policy/tasks/main.yml | 44 +++++++++++++++++++++++++++++++++++++
 roles/selinux_policy/vars/main.yml  |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 roles/selinux_policy/tasks/main.yml
 create mode 100644 roles/selinux_policy/vars/main.yml

(limited to 'roles/selinux_policy')

diff --git a/roles/selinux_policy/tasks/main.yml b/roles/selinux_policy/tasks/main.yml
new file mode 100644
index 0000000..0ec008b
--- /dev/null
+++ b/roles/selinux_policy/tasks/main.yml
@@ -0,0 +1,44 @@
+- name: create custom SELinux module directory
+  file:
+    path: '{{ selinux_policy_custom_dir }}'
+    state: directory
+
+- name: create SELinux type-enforcement file
+  copy:
+    content: |
+      module {{ selinux_policy_name }} {{ selinux_policy_version | default('1.0') }};
+
+      {{ selinux_policy_te }}
+    dest: '{{ selinux_policy_custom_dir }}/{{ selinux_policy_name }}.te'
+  register: selinux_te_file
+
+- name: check if SELinux policy is loaded
+  shell: semodule -l | grep -q {{ selinux_policy_name }}
+  changed_when: false
+  failed_when: false
+  register: se_policy_loaded
+
+- name: compile and load SELinux module
+  block:
+    - name: unload SELinux module
+      command: semodule -r {{ selinux_policy_name }}
+      when: se_policy_loaded.rc == 0
+
+    - name: compile SELinux module
+      command: checkmodule -M -m -o {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.mod {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.te
+
+    - name: build SELinux policy package
+      command: semodule_package -o {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.pp -m {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.mod
+
+    - name: load SELinux module
+      command: semodule -i {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.pp
+
+    - name: clean up build artifacts
+      file:
+        path: '{{ selinux_policy_custom_dir }}/{{ selinux_policy_name }}.{{ item }}'
+        state: absent
+      loop:
+        - mod
+        - pp
+
+  when: selinux_te_file.changed or se_policy_loaded.rc != 0
diff --git a/roles/selinux_policy/vars/main.yml b/roles/selinux_policy/vars/main.yml
new file mode 100644
index 0000000..d6c8c33
--- /dev/null
+++ b/roles/selinux_policy/vars/main.yml
@@ -0,0 +1 @@
+selinux_policy_custom_dir: /etc/selinux/custom
-- 
cgit