mirror of
https://github.com/containers/udica
synced 2024-09-25 10:30:52 +02:00
Deploy udica policies, using ansible
This feature adding paramater to udica, which generate ansible playbook for deploying SELinux policies and loading them to the system. To generate also ansble playbook, '--ansible' or '-d' paramaters could be used. Then, inventory file with ansible managed nodes needs to be provided to ansible play. Example: # podman inspect -l | udica mycon --ansible ... ... ... # ls mycon-policy.tar.gz deploy-module.yml variables-deploy-module.yml # cat deploy-module.yml --- - hosts: all tasks: - name: Include variables from generated file include_vars: file: variables-deploy-module.yml - name: Ensure that all SELinux packages are installed package: name: "{{ item }}" state: present with_items: - container-selinux - policycoreutils - libselinux-utils - name: Copy SELinux policy generated by the udica copy: src: "{{ archive }}" dest: /var/lib/udica/policy/ - name: Extract SELinux policy templates on nodes unarchive: src: "{{ archive }}" dest: /var/lib/udica/policy/ - name: Load SELinux policy templates when: ansible_selinux['status'] == "enabled" shell: semodule -i {{ policy }} args: chdir: /var/lib/udica/policy/ - name: Verify that SELinux policy generated by the udica is loaded when: ansible_selinux['status'] == "enabled" shell: semodule -lfull | grep "{{ final_policy }}" register: diff_cmd failed_when: diff_cmd.rc == "1" changed_when: false # cat variables-deploy-module.yml archive: mycon-policy.tar.gz policy: mycon.cil base_container.cil net_container.cil home_container.cil final_policy: mycon.cil
This commit is contained in:
parent
3b07ca9246
commit
2f82dcd3f3
1
setup.py
1
setup.py
@ -33,6 +33,7 @@ setuptools.setup(
|
||||
packages=["udica"],
|
||||
data_files=[
|
||||
('/usr/share/licenses/udica', ['LICENSE']),
|
||||
('/usr/share/udica/ansible', ['udica/ansible/deploy-module.yml']),
|
||||
('/usr/share/udica/templates', ['udica/templates/base_container.cil']),
|
||||
('/usr/share/udica/templates', ['udica/templates/config_container.cil']),
|
||||
('/usr/share/udica/templates', ['udica/templates/home_container.cil']),
|
||||
|
@ -19,7 +19,7 @@ import shutil
|
||||
|
||||
# import udica
|
||||
from udica.parse import parse_inspect, parse_cap, parse_is_podman
|
||||
from udica.policy import create_policy, load_policy
|
||||
from udica.policy import create_policy, load_policy, generate_playbook
|
||||
|
||||
def get_args():
|
||||
parser = argparse.ArgumentParser(description='Script generates SELinux policy for running container.')
|
||||
@ -41,6 +41,8 @@ def get_args():
|
||||
'-l', '--load-modules', help='Load templates and module created by this tool ', required=False, dest='LoadModules', action='store_true')
|
||||
parser.add_argument(
|
||||
'-c', '--caps', help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', required=False, dest='Caps', default=None)
|
||||
parser.add_argument(
|
||||
'-d', '--ansible', help='Generate ansible playbook to deploy SELinux policy for containers ', required=False, dest='Ansible', action='store_true')
|
||||
args = parser.parse_args()
|
||||
return vars(args)
|
||||
|
||||
@ -108,6 +110,9 @@ def main():
|
||||
|
||||
print('\nPolicy ' + opts['ContainerName'] + ' created!')
|
||||
|
||||
if opts['Ansible']:
|
||||
generate_playbook(opts)
|
||||
else:
|
||||
load_policy(opts)
|
||||
|
||||
print('\nRestart the container with: "--security-opt label=type:' + opts['ContainerName'] + '.process" parameter')
|
||||
|
38
udica/ansible/deploy-module.yml
Normal file
38
udica/ansible/deploy-module.yml
Normal file
@ -0,0 +1,38 @@
|
||||
---
|
||||
- hosts: all
|
||||
tasks:
|
||||
- name: Include variables from generated file
|
||||
include_vars:
|
||||
file: variables-deploy-module.yml
|
||||
|
||||
- name: Ensure that all SELinux packages are installed
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- container-selinux
|
||||
- policycoreutils
|
||||
- libselinux-utils
|
||||
|
||||
- name: Copy SELinux policy generated by the udica
|
||||
copy:
|
||||
src: "{{ archive }}"
|
||||
dest: /var/lib/udica/policy/
|
||||
|
||||
- name: Extract SELinux policy templates on nodes
|
||||
unarchive:
|
||||
src: "{{ archive }}"
|
||||
dest: /var/lib/udica/policy/
|
||||
|
||||
- name: Load SELinux policy templates
|
||||
when: ansible_selinux['status'] == "enabled"
|
||||
shell: semodule -i {{ policy }}
|
||||
args:
|
||||
chdir: /var/lib/udica/policy/
|
||||
|
||||
- name: Verify that SELinux policy generated by the udica is loaded
|
||||
when: ansible_selinux['status'] == "enabled"
|
||||
shell: semodule -lfull | grep "{{ final_policy }}"
|
||||
register: diff_cmd
|
||||
failed_when: diff_cmd.rc == "1"
|
||||
changed_when: false
|
@ -16,16 +16,22 @@
|
||||
import selinux
|
||||
import semanage
|
||||
|
||||
from os import chdir, getcwd
|
||||
from shutil import copy
|
||||
from os import chdir, getcwd, write, read, remove, replace
|
||||
|
||||
import tarfile
|
||||
|
||||
import udica.perms as perms
|
||||
|
||||
TEMPLATES_STORE = '/usr/share/udica/templates'
|
||||
|
||||
CONFIG_CONTAINER = '/etc'
|
||||
HOME_CONTAINER = '/home'
|
||||
LOG_CONTAINER = '/var/log'
|
||||
TMP_CONTAINER = '/tmp'
|
||||
|
||||
TEMPLATES_STORE = '/usr/share/udica/templates'
|
||||
TEMPLATE_PLAYBOOK = '/usr/share/udica/ansible/deploy-module.yml'
|
||||
VARIABLE_FILE_NAME = 'variables-deploy-module.yml'
|
||||
|
||||
templates_to_load = []
|
||||
|
||||
@ -201,3 +207,25 @@ def load_policy(opts):
|
||||
print('\nPlease load these modules using: \n# semodule -i ' + opts['ContainerName'] + '.cil ' + TEMPLATES_STORE + "/" + templates + '')
|
||||
|
||||
chdir(PWD)
|
||||
|
||||
def generate_playbook(opts):
|
||||
src = TEMPLATE_PLAYBOOK
|
||||
dst = "./"
|
||||
copy(src,dst)
|
||||
|
||||
varsfile = open(VARIABLE_FILE_NAME ,'w')
|
||||
|
||||
varsfile.write('archive: ' + opts['ContainerName'] + '-policy.tar.gz\n')
|
||||
varsfile.write('policy: ' + opts['ContainerName'] + '.cil ' + list_templates_to_string(templates_to_load).replace(',', ' ') + '\n')
|
||||
varsfile.write('final_policy: ' + opts['ContainerName'] + '.cil')
|
||||
|
||||
varsfile.close()
|
||||
|
||||
tar = tarfile.open(opts['ContainerName'] + '-policy.tar.gz', 'w:gz')
|
||||
for template in templates_to_load:
|
||||
tar.add(TEMPLATES_STORE + '/' + template + '.cil', template + '.cil')
|
||||
tar.add(opts['ContainerName'] + '.cil')
|
||||
remove(opts['ContainerName'] +'.cil')
|
||||
tar.close()
|
||||
|
||||
print('\nAnsible playbook and archive with udica policies generated! \nPlease run ansible play to deploy the policy.')
|
||||
|
Loading…
Reference in New Issue
Block a user