search

ome / ansible-role-omero-web

Installs and configures OMERO.web and Nginx
BSD 2-Clause "Simplified" License
1 stars 14 forks source link

Selinux playbook #19

Closed sbesson closed 5 years ago

sbesson commented 6 years ago

Fixes #15

Rather than forcing the command discuseed in the issue in consumer playbook, this PR adds a new playbook to be executed in the case of SELinux-hardened systems.

The logic for detecting SELinux enforcement was copied from openmicroscopy.selinux_utils and might be dropped with the same caveats.

Proposing this as a bugfix i.e. 2.0.2 although could equally be treated as 2.1.0. Arguably could be tested as part of the upgrade of Dundee production systems where SELinux is enabled.

kennethgillen commented 6 years ago

Is the aim here to run this after a broken production playbook/upgrade?

Does it also need an audit2allow as I normally run to fix this, e.g. in the description of https://github.com/openmicroscopy/ansible-role-omero-web/issues/15

The full production playbook may need re-run if the playbook fails on a "start OMERO.web" step due to this issue, e.g. to configure custom redirects (pub-omero) or deploy the SSL directives.

manics commented 6 years ago

You don't need to copy the selinux role, it sets a variable you can test later: https://github.com/openmicroscopy/ansible-role-omero-web/blob/2.0.1/tasks/web-dependencies.yml#L24

Can you also check it doesn't break the CentOS7 vagrant molecule test, since last time I tried it this fix wasn't necessary?

sbesson commented 6 years ago

Re https://github.com/openmicroscopy/ansible-role-omero-web/pull/19#issuecomment-428168858, my expectation is to get this role to work under all circumstances i.e. preventing the situation of broken upgrades. Re audit2allow, I thought this only used for generating an audit of the issue but the restorecon was sufficient.

I had not realized this role already depended on selinux-utils, I can certainly try and consume the variable and do some minimal testing on Vagrant.

kennethgillen commented 6 years ago

I was under the impression audit2allow created a set of rules that allowed the blocked access, but I'm no expert by any means. cf https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow

manics commented 6 years ago

https://github.com/openmicroscopy/ansible-role-omero-web/issues/15#issue-310505864 has the commands for displaying the rules with audit2allow but not the commands for enabling those rules, is it just missing from the description?

kennethgillen commented 6 years ago

@manics - no, all I run is what's in that comment:

audit2why < /var/log/audit/audit.log
audit2allow < /var/log/audit/audit.log
restorecon -R -v /opt/omero/web/OMERO.web

Is audit2allowdoing nothing, and restorecon is all that's necessary?

snoopycrimecop commented 6 years ago

Conflicting PR. Removed from build ANSIBLE-merge#466. See the console output for more details. Possible conflicts:

--conflicts

kennethgillen commented 6 years ago

@manics - are you sure audit2allow is not doing anything?

https://github.com/openmicroscopy/ansible-role-omero-web/pull/19#issuecomment-428226678 are the three commands I run each time to fix this.

manics commented 6 years ago

audit2allow generates a policy but doesn't apply it https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow

snoopycrimecop commented 6 years ago

Conflicting PR. Removed from build ANSIBLE-merge#498. See the console output for more details. Possible conflicts:

--conflicts

sbesson commented 5 years ago

Now superseded by #21