udica

mirror of https://github.com/containers/udica synced 2026-01-01 02:31:39 +01:00

History

Lukas Vrabec 2f82dcd3f3 Deploy udica policies, using ansible This feature adding paramater to udica, which generate ansible playbook for deploying SELinux policies and loading them to the system. To generate also ansble playbook, '--ansible' or '-d' paramaters could be used. Then, inventory file with ansible managed nodes needs to be provided to ansible play. Example: # podman inspect -l \| udica mycon --ansible ... ... ... # ls mycon-policy.tar.gz deploy-module.yml variables-deploy-module.yml # cat deploy-module.yml --- - hosts: all tasks: - name: Include variables from generated file include_vars: file: variables-deploy-module.yml - name: Ensure that all SELinux packages are installed package: name: "{{ item }}" state: present with_items: - container-selinux - policycoreutils - libselinux-utils - name: Copy SELinux policy generated by the udica copy: src: "{{ archive }}" dest: /var/lib/udica/policy/ - name: Extract SELinux policy templates on nodes unarchive: src: "{{ archive }}" dest: /var/lib/udica/policy/ - name: Load SELinux policy templates when: ansible_selinux['status'] == "enabled" shell: semodule -i {{ policy }} args: chdir: /var/lib/udica/policy/ - name: Verify that SELinux policy generated by the udica is loaded when: ansible_selinux['status'] == "enabled" shell: semodule -lfull \| grep "{{ final_policy }}" register: diff_cmd failed_when: diff_cmd.rc == "1" changed_when: false # cat variables-deploy-module.yml archive: mycon-policy.tar.gz policy: mycon.cil base_container.cil net_container.cil home_container.cil final_policy: mycon.cil	2019-06-12 13:25:37 +02:00
..
deploy-module.yml	Deploy udica policies, using ansible	2019-06-12 13:25:37 +02:00

Lukas Vrabec 2f82dcd3f3 Deploy udica policies, using ansible

This feature adding paramater to udica, which generate ansible playbook for deploying SELinux policies and loading them to the system.

To generate also ansble playbook, '--ansible' or '-d' paramaters could
be used. Then, inventory file with ansible managed nodes needs to be
provided to ansible play.

Example:
 # podman inspect -l | udica mycon --ansible
 ...
 ...
 ...

 # ls
 mycon-policy.tar.gz deploy-module.yml variables-deploy-module.yml

 # cat deploy-module.yml
 ---
 - hosts: all
   tasks:
   - name: Include variables from generated file
     include_vars:
       file: variables-deploy-module.yml

   - name: Ensure that all SELinux packages are installed
     package:
       name: "{{ item }}"
       state: present
     with_items:
     - container-selinux
     - policycoreutils
     - libselinux-utils

   - name: Copy SELinux policy generated by the udica
     copy:
       src: "{{ archive }}"
       dest: /var/lib/udica/policy/

   - name: Extract SELinux policy templates on nodes
     unarchive:
       src: "{{ archive }}"
       dest: /var/lib/udica/policy/

   - name: Load SELinux policy templates
     when: ansible_selinux['status'] == "enabled"
     shell: semodule -i  {{ policy }}
     args:
       chdir: /var/lib/udica/policy/

   - name: Verify that SELinux policy generated by the udica is loaded
     when: ansible_selinux['status'] == "enabled"
     shell: semodule -lfull | grep "{{ final_policy }}"
     register: diff_cmd
     failed_when: diff_cmd.rc == "1"
     changed_when: false

 # cat variables-deploy-module.yml
 archive: mycon-policy.tar.gz
 policy: mycon.cil base_container.cil net_container.cil home_container.cil
 final_policy: mycon.cil

2019-06-12 13:25:37 +02:00

deploy-module.yml

Deploy udica policies, using ansible

2019-06-12 13:25:37 +02:00