Deploy udica policies, using ansible

This feature adding paramater to udica, which generate ansible playbook for deploying SELinux policies and loading them to the system. To generate also ansble playbook, '--ansible' or '-d' paramaters could be used. Then, inventory file with ansible managed nodes needs to be provided to ansible play. Example: # podman inspect -l | udica mycon --ansible ... ... ... # ls mycon-policy.tar.gz deploy-module.yml variables-deploy-module.yml # cat deploy-module.yml --- - hosts: all tasks: - name: Include variables from generated file include_vars: file: variables-deploy-module.yml - name: Ensure that all SELinux packages are installed package: name: "{{ item }}" state: present with_items: - container-selinux - policycoreutils - libselinux-utils - name: Copy SELinux policy generated by the udica copy: src: "{{ archive }}" dest: /var/lib/udica/policy/ - name: Extract SELinux policy templates on nodes unarchive: src: "{{ archive }}" dest: /var/lib/udica/policy/ - name: Load SELinux policy templates when: ansible_selinux['status'] == "enabled" shell: semodule -i {{ policy }} args: chdir: /var/lib/udica/policy/ - name: Verify that SELinux policy generated by the udica is loaded when: ansible_selinux['status'] == "enabled" shell: semodule -lfull | grep "{{ final_policy }}" register: diff_cmd failed_when: diff_cmd.rc == "1" changed_when: false # cat variables-deploy-module.yml archive: mycon-policy.tar.gz policy: mycon.cil base_container.cil net_container.cil home_container.cil final_policy: mycon.cil
2024-05-25 01:56:14 +02:00 · 2019-05-22 20:50:21 +02:00 · 2019-05-22 20:50:21 +02:00 · 2f82dcd3f3
parent 3b07ca9246
commit 2f82dcd3f3
4 changed files with 76 additions and 4 deletions
--- a/setup.py
+++ b/setup.py
@ -33,6 +33,7 @@ setuptools.setup(
    packages=["udica"],
    data_files=[
        ('/usr/share/licenses/udica', ['LICENSE']),
+        ('/usr/share/udica/ansible', ['udica/ansible/deploy-module.yml']),
        ('/usr/share/udica/templates', ['udica/templates/base_container.cil']),
        ('/usr/share/udica/templates', ['udica/templates/config_container.cil']),
        ('/usr/share/udica/templates', ['udica/templates/home_container.cil']),
--- a/udica/main.py
+++ b/udica/main.py
@ -19,7 +19,7 @@ import shutil

 # import udica
 from udica.parse import parse_inspect, parse_cap, parse_is_podman
-from udica.policy import create_policy, load_policy
+from udica.policy import create_policy, load_policy, generate_playbook

 def get_args():
    parser = argparse.ArgumentParser(description='Script generates SELinux policy for running container.')
@ -41,6 +41,8 @@ def get_args():
        '-l', '--load-modules', help='Load templates and module created by this tool ', required=False, dest='LoadModules', action='store_true')
    parser.add_argument(
        '-c', '--caps', help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', required=False, dest='Caps', default=None)
+    parser.add_argument(
+        '-d', '--ansible', help='Generate ansible playbook to deploy SELinux policy for containers ', required=False, dest='Ansible', action='store_true')
    args = parser.parse_args()
    return vars(args)

@ -108,7 +110,10 @@ def main():

    print('\nPolicy ' + opts['ContainerName'] + ' created!')

-    load_policy(opts)
+    if opts['Ansible']:
+        generate_playbook(opts)
+    else:
+        load_policy(opts)

    print('\nRestart the container with: "--security-opt label=type:' + opts['ContainerName'] + '.process" parameter')

--- a/udica/ansible/deploy-module.yml
+++ b/udica/ansible/deploy-module.yml
@ -0,0 +1,38 @@
+---
+- hosts: all
+  tasks:
+  - name: Include variables from generated file
+    include_vars:
+      file: variables-deploy-module.yml
+
+  - name: Ensure that all SELinux packages are installed
+    package:
+      name: "{{ item }}"
+      state: present
+    with_items:
+    - container-selinux
+    - policycoreutils
+    - libselinux-utils
+
+  - name: Copy SELinux policy generated by the udica
+    copy:
+      src: "{{ archive }}"
+      dest: /var/lib/udica/policy/
+
+  - name: Extract SELinux policy templates on nodes
+    unarchive:
+      src: "{{ archive }}"
+      dest: /var/lib/udica/policy/
+
+  - name: Load SELinux policy templates
+    when: ansible_selinux['status'] == "enabled"
+    shell: semodule -i  {{ policy }}
+    args:
+      chdir: /var/lib/udica/policy/
+
+  - name: Verify that SELinux policy generated by the udica is loaded
+    when: ansible_selinux['status'] == "enabled"
+    shell: semodule -lfull | grep "{{ final_policy }}"
+    register: diff_cmd
+    failed_when: diff_cmd.rc == "1"
+    changed_when: false
--- a/udica/policy.py
+++ b/udica/policy.py
@ -16,16 +16,22 @@
 import selinux
 import semanage

-from os import chdir, getcwd
+from shutil import copy
+from os import chdir, getcwd, write, read, remove, replace
+
+import tarfile

 import udica.perms as perms

+TEMPLATES_STORE = '/usr/share/udica/templates'
+
 CONFIG_CONTAINER = '/etc'
 HOME_CONTAINER = '/home'
 LOG_CONTAINER = '/var/log'
 TMP_CONTAINER = '/tmp'

-TEMPLATES_STORE = '/usr/share/udica/templates'
+TEMPLATE_PLAYBOOK = '/usr/share/udica/ansible/deploy-module.yml'
+VARIABLE_FILE_NAME = 'variables-deploy-module.yml'

 templates_to_load = []

@ -201,3 +207,25 @@ def load_policy(opts):
            print('\nPlease load these modules using: \n# semodule -i ' + opts['ContainerName'] + '.cil ' + TEMPLATES_STORE + "/" + templates + '')

        chdir(PWD)
+
+def generate_playbook(opts):
+    src = TEMPLATE_PLAYBOOK
+    dst = "./"
+    copy(src,dst)
+
+    varsfile = open(VARIABLE_FILE_NAME ,'w')
+
+    varsfile.write('archive: ' + opts['ContainerName'] + '-policy.tar.gz\n')
+    varsfile.write('policy: ' + opts['ContainerName'] + '.cil ' + list_templates_to_string(templates_to_load).replace(',', ' ') + '\n')
+    varsfile.write('final_policy: ' + opts['ContainerName'] + '.cil')
+
+    varsfile.close()
+
+    tar = tarfile.open(opts['ContainerName'] + '-policy.tar.gz', 'w:gz')
+    for template in templates_to_load:
+        tar.add(TEMPLATES_STORE + '/' + template + '.cil', template + '.cil')
+    tar.add(opts['ContainerName'] + '.cil')
+    remove(opts['ContainerName'] +'.cil')
+    tar.close()
+
+    print('\nAnsible playbook and archive with udica policies generated! \nPlease run ansible play to deploy the policy.')