mirror of
https://github.com/containers/udica
synced 2024-05-25 01:56:14 +02:00
2f82dcd3f3
This feature adding paramater to udica, which generate ansible playbook for deploying SELinux policies and loading them to the system.
To generate also ansble playbook, '--ansible' or '-d' paramaters could
be used. Then, inventory file with ansible managed nodes needs to be
provided to ansible play.
Example:
# podman inspect -l | udica mycon --ansible
...
...
...
# ls
mycon-policy.tar.gz deploy-module.yml variables-deploy-module.yml
# cat deploy-module.yml
---
- hosts: all
tasks:
- name: Include variables from generated file
include_vars:
file: variables-deploy-module.yml
- name: Ensure that all SELinux packages are installed
package:
name: "{{ item }}"
state: present
with_items:
- container-selinux
- policycoreutils
- libselinux-utils
- name: Copy SELinux policy generated by the udica
copy:
src: "{{ archive }}"
dest: /var/lib/udica/policy/
- name: Extract SELinux policy templates on nodes
unarchive:
src: "{{ archive }}"
dest: /var/lib/udica/policy/
- name: Load SELinux policy templates
when: ansible_selinux['status'] == "enabled"
shell: semodule -i {{ policy }}
args:
chdir: /var/lib/udica/policy/
- name: Verify that SELinux policy generated by the udica is loaded
when: ansible_selinux['status'] == "enabled"
shell: semodule -lfull | grep "{{ final_policy }}"
register: diff_cmd
failed_when: diff_cmd.rc == "1"
changed_when: false
# cat variables-deploy-module.yml
archive: mycon-policy.tar.gz
policy: mycon.cil base_container.cil net_container.cil home_container.cil
final_policy: mycon.cil
|
||
|---|---|---|
| .. | ||
| deploy-module.yml | ||