blob: 88236722ecf84484535eec0a84a5bd0b224c50a0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
- name: create /usr/local/home
file:
path: /usr/local/home
state: directory
- name: copy homedir creation scripts
copy:
src: usr/local/sbin/create-local-homedir.sh
dest: '{{ item }}'
mode: 0555
setype: _default
loop:
- '{{ local_homedir_script_ssh }}'
- '{{ local_homedir_script_gdm }}'
- name: set xdm_unconfined_exec_t sefcontext on homedir creation script
sefcontext:
target: '{{ local_homedir_script_gdm }}'
state: present
setype: xdm_unconfined_exec_t
tags: selinux
register: local_homedir_sefcontext
- name: apply selinux context to homedir creation script
command: 'restorecon -R {{ local_homedir_script_gdm }}'
when: local_homedir_sefcontext.changed
tags: selinux
- name: copy profile script
copy:
src: etc/profile.d/local-homedirs.sh
dest: /etc/profile.d/local-homedirs.sh
- name: copy pam_env for XDG variables
copy:
src: '{{ local_homedir_pam_env_path[1:] }}'
dest: '{{ local_homedir_pam_env_path }}'
- name: get fcontext equivalencies
command: semanage fcontext -l -C
changed_when: no
register: selinux_equivalencies
- name: set selinux fcontext for /usr/local/home
command: semanage fcontext -a -e /home /usr/local/home
register: local_homedirs_fcontext
when: "'/usr/local/home = /home' not in selinux_equivalencies.stdout_lines"
- name: apply selinux fcontext to /usr/local/home
command: restorecon -R /usr/local/home
when: local_homedirs_fcontext.changed
- name: check if gdm is installed
package_facts:
manager: auto
- name: modify GDM PAM configuration for local homedirs
lineinfile:
path: /etc/pam.d/gdm-password
line: '{{ item }}'
insertbefore: ^auth\s+optional\s+pam_gnome_keyring\.so$
state: present
loop:
- auth optional pam_exec.so {{ local_homedir_script_gdm }}
- auth optional pam_env.so conffile={{ local_homedir_pam_env_path }}
when: "'gdm' in ansible_facts.packages"
- name: modify pam configs for sshd
lineinfile:
path: /etc/pam.d/sshd
line: '{{ item }}'
insertafter: EOF
state: present
loop:
- session optional pam_exec.so {{ local_homedir_script_ssh }}
- session optional pam_env.so conffile={{ local_homedir_pam_env_path }}
|