mirror/udica
1
1
Fork 0
mirror of https://github.com/containers/udica synced 2024-09-24 10:20:44 +02:00
Code Issues

Deploy udica policies, using ansible

Browse Source 
This feature adding paramater to udica, which generate ansible playbook for deploying SELinux policies and loading them to the system.

To generate also ansble playbook, '--ansible' or '-d' paramaters could
be used. Then, inventory file with ansible managed nodes needs to be
provided to ansible play.

Example:
 # podman inspect -l | udica mycon --ansible
 ...
 ...
 ...

 # ls
 mycon-policy.tar.gz deploy-module.yml variables-deploy-module.yml

 # cat deploy-module.yml
 ---
 - hosts: all
   tasks:
   - name: Include variables from generated file
     include_vars:
       file: variables-deploy-module.yml

   - name: Ensure that all SELinux packages are installed
     package:
       name: "{{ item }}"
       state: present
     with_items:
     - container-selinux
     - policycoreutils
     - libselinux-utils

   - name: Copy SELinux policy generated by the udica
     copy:
       src: "{{ archive }}"
       dest: /var/lib/udica/policy/

   - name: Extract SELinux policy templates on nodes
     unarchive:
       src: "{{ archive }}"
       dest: /var/lib/udica/policy/

   - name: Load SELinux policy templates
     when: ansible_selinux['status'] == "enabled"
     shell: semodule -i  {{ policy }}
     args:
       chdir: /var/lib/udica/policy/

   - name: Verify that SELinux policy generated by the udica is loaded
     when: ansible_selinux['status'] == "enabled"
     shell: semodule -lfull | grep "{{ final_policy }}"
     register: diff_cmd
     failed_when: diff_cmd.rc == "1"
     changed_when: false

 # cat variables-deploy-module.yml
 archive: mycon-policy.tar.gz
 policy: mycon.cil base_container.cil net_container.cil home_container.cil
 final_policy: mycon.cil
This commit is contained in:
Lukas Vrabec 2019-05-22 20:50:21 +02:00 committed by Lukas Vrabec
parent 3b07ca9246
commit 2f82dcd3f3
4 changed files with 76 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
setup.py
View File

@ -33,6 +33,7 @@ setuptools.setup(
packages=["udica"], packages=["udica"],
data_files=[ data_files=[
('/usr/share/licenses/udica', ['LICENSE']), ('/usr/share/licenses/udica', ['LICENSE']),
('/usr/share/udica/ansible', ['udica/ansible/deploy-module.yml']),
('/usr/share/udica/templates', ['udica/templates/base_container.cil']), ('/usr/share/udica/templates', ['udica/templates/base_container.cil']),
('/usr/share/udica/templates', ['udica/templates/config_container.cil']), ('/usr/share/udica/templates', ['udica/templates/config_container.cil']),
('/usr/share/udica/templates', ['udica/templates/home_container.cil']), ('/usr/share/udica/templates', ['udica/templates/home_container.cil']),

9
udica/__main__.py
View File

@ -19,7 +19,7 @@ import shutil
# import udica # import udica
from udica.parse import parse_inspect, parse_cap, parse_is_podman from udica.parse import parse_inspect, parse_cap, parse_is_podman
from udica.policy import create_policy, load_policy from udica.policy import create_policy, load_policy, generate_playbook
def get_args(): def get_args():
parser = argparse.ArgumentParser(description='Script generates SELinux policy for running container.') parser = argparse.ArgumentParser(description='Script generates SELinux policy for running container.')
@ -41,6 +41,8 @@ def get_args():
'-l', '--load-modules', help='Load templates and module created by this tool ', required=False, dest='LoadModules', action='store_true') '-l', '--load-modules', help='Load templates and module created by this tool ', required=False, dest='LoadModules', action='store_true')
parser.add_argument( parser.add_argument(
'-c', '--caps', help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', required=False, dest='Caps', default=None) '-c', '--caps', help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', required=False, dest='Caps', default=None)
parser.add_argument(
'-d', '--ansible', help='Generate ansible playbook to deploy SELinux policy for containers ', required=False, dest='Ansible', action='store_true')
args = parser.parse_args() args = parser.parse_args()
return vars(args) return vars(args)
@ -108,7 +110,10 @@ def main():
print('\nPolicy ' + opts['ContainerName'] + ' created!') print('\nPolicy ' + opts['ContainerName'] + ' created!')
load_policy(opts) if opts['Ansible']:
generate_playbook(opts)
else:
load_policy(opts)
print('\nRestart the container with: "--security-opt label=type:' + opts['ContainerName'] + '.process" parameter') print('\nRestart the container with: "--security-opt label=type:' + opts['ContainerName'] + '.process" parameter')

38
udica/ansible/deploy-module.yml Normal file
View File

@ -0,0 +1,38 @@
---
- hosts: all
tasks:
- name: Include variables from generated file
include_vars:
file: variables-deploy-module.yml
- name: Ensure that all SELinux packages are installed
package:
name: "{{ item }}"
state: present
with_items:
- container-selinux
- policycoreutils
- libselinux-utils
- name: Copy SELinux policy generated by the udica
copy:
src: "{{ archive }}"
dest: /var/lib/udica/policy/
- name: Extract SELinux policy templates on nodes
unarchive:
src: "{{ archive }}"
dest: /var/lib/udica/policy/
- name: Load SELinux policy templates
when: ansible_selinux['status'] == "enabled"
shell: semodule -i {{ policy }}
args:
chdir: /var/lib/udica/policy/
- name: Verify that SELinux policy generated by the udica is loaded
when: ansible_selinux['status'] == "enabled"
shell: semodule -lfull | grep "{{ final_policy }}"
register: diff_cmd
failed_when: diff_cmd.rc == "1"
changed_when: false

32
udica/policy.py
View File

@ -16,16 +16,22 @@
import selinux import selinux
import semanage import semanage
from os import chdir, getcwd from shutil import copy
from os import chdir, getcwd, write, read, remove, replace
import tarfile
import udica.perms as perms import udica.perms as perms
TEMPLATES_STORE = '/usr/share/udica/templates'
CONFIG_CONTAINER = '/etc' CONFIG_CONTAINER = '/etc'
HOME_CONTAINER = '/home' HOME_CONTAINER = '/home'
LOG_CONTAINER = '/var/log' LOG_CONTAINER = '/var/log'
TMP_CONTAINER = '/tmp' TMP_CONTAINER = '/tmp'
TEMPLATES_STORE = '/usr/share/udica/templates' TEMPLATE_PLAYBOOK = '/usr/share/udica/ansible/deploy-module.yml'
VARIABLE_FILE_NAME = 'variables-deploy-module.yml'
templates_to_load = [] templates_to_load = []
@ -201,3 +207,25 @@ def load_policy(opts):
print('\nPlease load these modules using: \n# semodule -i ' + opts['ContainerName'] + '.cil ' + TEMPLATES_STORE + "/" + templates + '') print('\nPlease load these modules using: \n# semodule -i ' + opts['ContainerName'] + '.cil ' + TEMPLATES_STORE + "/" + templates + '')
chdir(PWD) chdir(PWD)
def generate_playbook(opts):
src = TEMPLATE_PLAYBOOK
dst = "./"
copy(src,dst)
varsfile = open(VARIABLE_FILE_NAME ,'w')
varsfile.write('archive: ' + opts['ContainerName'] + '-policy.tar.gz\n')
varsfile.write('policy: ' + opts['ContainerName'] + '.cil ' + list_templates_to_string(templates_to_load).replace(',', ' ') + '\n')
varsfile.write('final_policy: ' + opts['ContainerName'] + '.cil')
varsfile.close()
tar = tarfile.open(opts['ContainerName'] + '-policy.tar.gz', 'w:gz')
for template in templates_to_load:
tar.add(TEMPLATES_STORE + '/' + template + '.cil', template + '.cil')
tar.add(opts['ContainerName'] + '.cil')
remove(opts['ContainerName'] +'.cil')
tar.close()
print('\nAnsible playbook and archive with udica policies generated! \nPlease run ansible play to deploy the policy.')