-
-
Save gnosek/38420ac0f2a650c72cc0e6fcb600083b to your computer and use it in GitHub Desktop.
SELinux Nginx socket write Ansible
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module nginx_socket_write 1.0; | |
| require { | |
| type httpd_t; | |
| type var_t; | |
| type http_cache_port_t; | |
| class sock_file write; | |
| class tcp_socket name_connect; | |
| } | |
| #============= httpd_t ============== | |
| #!!!! This avc is allowed in the current policy | |
| allow httpd_t http_cache_port_t:tcp_socket name_connect; | |
| #!!!! This avc is allowed in the current policy | |
| allow httpd_t var_t:sock_file write; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: "SELinux - allow nginx write to socket - check if module was loaded" | |
| command: semodule --list-modules | |
| register: nginx_socket_write_loaded | |
| changed_when: '"nginx_socket_write" not in nginx_socket_write_loaded.stdout' | |
| - block: | |
| - name: "SELinux - allow nginx write to socket - copy type enforcement file" | |
| template: | |
| src: nginx_socket_write.te | |
| dest: /root/nginx_socket_write.te | |
| mode: 0644 | |
| - name: "SELinux - allow nginx write to socket - checkmodule" | |
| command: "checkmodule -M -m -o nginx_socket_write.mod nginx_socket_write.te" | |
| args: | |
| chdir: /root | |
| creates: nginx_socket_write.mod | |
| - name: "SELinux - allow nginx write to socket - semodule_package" | |
| command: "semodule_package -o nginx_socket_write.pp -m nginx_socket_write.mod" | |
| args: | |
| chdir: /root | |
| creates: nginx_socket_write.pp | |
| - name: "SELinux - allow nginx write to socket - semodule install" | |
| command: "semodule -i nginx_socket_write.pp" | |
| when: nginx_socket_write_loaded|changed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: "SELinux - allow nginx write to socket - check if module was loaded" | |
| command: semodule --list-modules | |
| register: nginx_socket_write_loaded | |
| changed_when: '"nginx_socket_write" not in nginx_socket_write_loaded.stdout' | |
| - name: "SELinux - create work directory" | |
| file: | |
| path: /var/lib/selinux | |
| state: directory | |
| mode: 0700 | |
| - name: "SELinux - allow nginx write to socket - copy type enforcement file" | |
| template: | |
| src: nginx_socket_write.te | |
| dest: /var/lib/selinux/nginx_socket_write.te | |
| mode: 0644 | |
| register: nginx_socket_write | |
| - block: | |
| - name: "SELinux - allow nginx write to socket - checkmodule" | |
| command: "checkmodule -M -m -o nginx_socket_write.mod nginx_socket_write.te" | |
| args: | |
| chdir: /var/lib/selinux | |
| - name: "SELinux - allow nginx write to socket - semodule_package" | |
| command: "semodule_package -o nginx_socket_write.pp -m nginx_socket_write.mod" | |
| args: | |
| chdir: /var/lib/selinux | |
| - name: "SELinux - allow nginx write to socket - semodule install" | |
| command: "semodule -i nginx_socket_write.pp" | |
| args: | |
| chdir: /var/lib/selinux | |
| when: nginx_socket_write_loaded|changed or nginx_socket_write|changed or nginx_socket_write_rebuild|default(False) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: "SELinux - allow nginx write to socket - check if module was loaded" | |
| command: semodule --list-modules | |
| register: nginx_socket_write_loaded | |
| changed_when: '"nginx_socket_write" not in nginx_socket_write_loaded.stdout' | |
| - name: "SELinux - create work directory" | |
| file: | |
| path: /var/lib/selinux | |
| state: directory | |
| mode: 0700 | |
| - name: "SELinux - allow nginx write to socket - copy type enforcement file" | |
| template: | |
| src: nginx_socket_write.te | |
| dest: /var/lib/selinux/nginx_socket_write.te | |
| mode: 0644 | |
| register: nginx_socket_write | |
| - name: "SELinux - build and install policy" | |
| command: "{{ item }}" | |
| args: | |
| chdir: /var/lib/selinux | |
| with_items: | |
| - "checkmodule -M -m -o nginx_socket_write.mod nginx_socket_write.te" | |
| - "semodule_package -o nginx_socket_write.pp -m nginx_socket_write.mod" | |
| - "semodule -i nginx_socket_write.pp" | |
| when: nginx_socket_write_loaded|changed or nginx_socket_write|changed or nginx_socket_write_rebuild|default(False) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # - role: semodule | |
| # selinux_module: nginx_socket_write | |
| --- | |
| - name: "SELinux - check if module was loaded" | |
| command: semodule --list-modules | |
| register: semodule_loaded | |
| changed_when: selinux_module not in semodule_loaded.stdout_lines | |
| - name: "SELinux - create work directory" | |
| file: | |
| path: /var/lib/selinux | |
| state: directory | |
| mode: 0700 | |
| - name: "SELinux - copy type enforcement file" | |
| template: | |
| src: "{{ selinux_module_template|default(selinux_module ~ '.te') }}" | |
| dest: /var/lib/selinux/{{ selinux_module }}.te | |
| mode: 0644 | |
| register: semodule_te | |
| - name: "SELinux - build and install policy" | |
| command: "{{ item }}" | |
| args: | |
| chdir: /var/lib/selinux | |
| with_items: | |
| - "checkmodule -M -m -o {{ selinux_module }}.mod {{ selinux_module }}.te" | |
| - "semodule_package -o {{ selinux_module }}.pp -m {{ selinux_module }}.mod" | |
| - "semodule -i {{ selinux_module }}.pp" | |
| when: semodule_loaded|changed or semodule_te|changed or semodule_rebuild|default(False) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment