mirror of
https://github.com/containers/udica
synced 2024-09-24 10:20:44 +02:00
2f82dcd3f3
This feature adding paramater to udica, which generate ansible playbook for deploying SELinux policies and loading them to the system. To generate also ansble playbook, '--ansible' or '-d' paramaters could be used. Then, inventory file with ansible managed nodes needs to be provided to ansible play. Example: # podman inspect -l | udica mycon --ansible ... ... ... # ls mycon-policy.tar.gz deploy-module.yml variables-deploy-module.yml # cat deploy-module.yml --- - hosts: all tasks: - name: Include variables from generated file include_vars: file: variables-deploy-module.yml - name: Ensure that all SELinux packages are installed package: name: "{{ item }}" state: present with_items: - container-selinux - policycoreutils - libselinux-utils - name: Copy SELinux policy generated by the udica copy: src: "{{ archive }}" dest: /var/lib/udica/policy/ - name: Extract SELinux policy templates on nodes unarchive: src: "{{ archive }}" dest: /var/lib/udica/policy/ - name: Load SELinux policy templates when: ansible_selinux['status'] == "enabled" shell: semodule -i {{ policy }} args: chdir: /var/lib/udica/policy/ - name: Verify that SELinux policy generated by the udica is loaded when: ansible_selinux['status'] == "enabled" shell: semodule -lfull | grep "{{ final_policy }}" register: diff_cmd failed_when: diff_cmd.rc == "1" changed_when: false # cat variables-deploy-module.yml archive: mycon-policy.tar.gz policy: mycon.cil base_container.cil net_container.cil home_container.cil final_policy: mycon.cil |
||
---|---|---|
.. | ||
deploy-module.yml |