search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
479 stars 47 forks source link

Deploy udica policies, using ansible #23

Closed wrabcak closed 5 years ago

wrabcak commented 5 years ago

Deploy udica policies, using ansible

This feature adding paramater to udica, which generate ansible playbook for deploying SELinux policies and loading them to the system.

To generate also ansble playbook, '--ansible' or '-d' paramaters could be used. Then, inventory file with ansible managed nodes needs to be provided to ansible play.

Example:

# podman inspect -l | udica mycon --ansible
...
...
...

# ls
mycon-policy.tar.gz deploy-module.yml variables-deploy-module.yml

# cat deploy-module.yml
---
- hosts: all
  tasks:
   - name: Include variables from generated file
     include_vars:
        file: variables-deploy-module.yml

   - name: Ensure that all SELinux packages are installed
     package:
       name: "{{ item }}"
       state: present
     with_items:
     - container-selinux
     - policycoreutils
     - libselinux-utils

   - name: Copy SELinux policy generated by the udica
     copy:
       src: "{{ archive }}"
       dest: /var/lib/udica/policy/

   - name: Extract SELinux policy templates on nodes
     unarchive:
       src: "{{ archive }}"
       dest: /var/lib/udica/policy/

   - name: Load SELinux policy templates
     when: ansible_selinux['status'] == "enabled"
     shell: semodule -i  {{ policy }}
     args:
       chdir: /var/lib/udica/policy/

   - name: Verify that SELinux policy generated by the udica is loaded
     when: ansible_selinux['status'] == "enabled"
     shell: semodule -lfull | grep "{{ final_policy }}"
     register: diff_cmd
     failed_when: diff_cmd.rc == "1"
     changed_when: false

# cat variables-deploy-module.yml
archive: mycon-policy.tar.gz
policy: mycon.cil base_container.cil net_container.cil home_container.cil
 final_policy: mycon.cil