From 2d79485c93b3e74c0f2f0f4b3ec72233a41e7aba Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 14 Nov 2023 20:22:28 +0100 Subject: [PATCH] Merge tasks/enable.yml into main.yml Signed-off-by: Radovan Sroka --- tasks/enable.yml | 110 ------------------------------------------- tasks/main.yml | 120 +++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 117 insertions(+), 113 deletions(-) delete mode 100644 tasks/enable.yml diff --git a/tasks/enable.yml b/tasks/enable.yml deleted file mode 100644 index 01dd9bc..0000000 --- a/tasks/enable.yml +++ /dev/null @@ -1,110 +0,0 @@ ---- -- name: Check trust compatibility - fail: - msg: >- - Fapolicyd does not support trust setting fapolicyd_setup_trust - on EL version < 8.3 - ignore_errors: true - when: - - fapolicyd_setup_trust | length > 0 - - ansible_facts.distribution_version is version("8.2", "<=") - register: __failed_check_trust - -- name: Check integrity compatibility - fail: - msg: >- - Fapolicyd does not support integrity setting fapolicyd_setup_integrity - on EL version < 8.4 - ignore_errors: true - when: - - fapolicyd_setup_integrity | length > 0 - - ansible_facts.distribution_version is version("8.3", "<=") - register: __failed_check_integrity - -- name: Check trust files compatibility - fail: - msg: >- - Fapolicyd does not support trust files setting fapolicyd_add_trusted_file - on EL version < 8.4 - ignore_errors: true - when: - - fapolicyd_add_trusted_file | length > 0 - - ansible_facts.distribution_version is version("8.3", "<=") - register: __failed_check_trusted_file - -- name: Check failed conditions - fail: - msg: Multiple failed conditions - when: __failed_check_trust is failed or __failed_check_integrity is failed or - __failed_check_trusted_file is failed - -- name: Install fapolicyd packages - package: - name: - - "{{ __fapolicyd_packages }}" - state: present - -- name: Install fapolicyd-selinux packages - package: - name: - - "{{ __fapolicyd_selinux_packages }}" - state: present - when: ansible_facts.distribution_version is version("8.3", ">=") - -- name: Copy fapolicyd configuration file - template: - src: "{{ __fapolicyd_conf }}.j2" - dest: "{{ __fapolicyd_dir }}/{{ __fapolicyd_conf }}" - owner: root - group: fapolicyd - mode: '0644' - -- name: Run fapolicyd configuration check - command: fapolicyd-cli --check-config - check_mode: false - changed_when: false - when: ansible_facts.distribution_version is version("8.6", ">=") - -- name: Trustdb cleanup - command: fapolicyd-cli --file delete / - when: ansible_facts.distribution_version is version("8.3", ">=") - changed_when: true - failed_when: false - -- name: Add file to trustdb - command: fapolicyd-cli --file add {{ item | quote }} - loop: "{{ (fapolicyd_add_trusted_file is string) | - ternary([fapolicyd_add_trusted_file], fapolicyd_add_trusted_file) }}" - when: - - fapolicyd_add_trusted_file | length > 0 - - ansible_facts.distribution_version is version("8.3", ">=") - changed_when: true - -- name: Start fapolicyd service - service: - name: "{{ __fapolicyd_services }}" - state: restarted - enabled: true - ignore_errors: true - register: __fapolicyd_restart - -- name: Check fapolicyd logs - command: journalctl -n5 -u "{{ __fapolicyd_services }}" - register: __fapolicyd_results - changed_when: false - when: __fapolicyd_restart is failed - -- name: Making sure fapolicyd does not run if it was set so - service: - name: "{{ __fapolicyd_services }}" - state: stopped - enabled: false - when: not fapolicyd_setup_enable_service - -- name: Print fapolicyd logs - debug: - msg: "{{ __fapolicyd_results.stdout_lines }}" - failed_when: true - when: - - __fapolicyd_restart is failed - - __fapolicyd_results.stdout_lines is defined diff --git a/tasks/main.yml b/tasks/main.yml index 65f6034..9b1779d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,7 +7,121 @@ - distribution_major_version when: ansible_facts.distribution_major_version is not defined -- name: Enable fapolicyd - include_tasks: enable.yml +- name: System check + fail: + msg: >- + Only Red Hat Enterprise Linux >= 8.1 is supported; + System: {{ ansible_facts.os_family }} + Version: {{ ansible_facts.distribution_version }} + when: (ansible_facts.os_family != "RedHat") or + (ansible_facts.distribution_version is version("8.1", "<")) + +- name: Check trust compatibility + fail: + msg: >- + Fapolicyd does not support trust setting fapolicyd_setup_trust + on EL version < 8.3 + ignore_errors: true + when: + - fapolicyd_setup_trust | length > 0 + - ansible_facts.distribution_version is version("8.2", "<=") + register: __failed_check_trust + +- name: Check integrity compatibility + fail: + msg: >- + Fapolicyd does not support integrity setting fapolicyd_setup_integrity + on EL version < 8.4 + ignore_errors: true + when: + - fapolicyd_setup_integrity | length > 0 + - ansible_facts.distribution_version is version("8.3", "<=") + register: __failed_check_integrity + +- name: Check trust files compatibility + fail: + msg: >- + Fapolicyd does not support trust files setting fapolicyd_add_trusted_file + on EL version < 8.4 + ignore_errors: true + when: + - fapolicyd_add_trusted_file | length > 0 + - ansible_facts.distribution_version is version("8.3", "<=") + register: __failed_check_trusted_file + +- name: Check failed conditions + fail: + msg: Multiple failed conditions + when: __failed_check_trust is failed or __failed_check_integrity is failed or + __failed_check_trusted_file is failed + +- name: Install fapolicyd packages + package: + name: + - "{{ __fapolicyd_packages }}" + state: present + +- name: Install fapolicyd-selinux packages + package: + name: + - "{{ __fapolicyd_selinux_packages }}" + state: present + when: ansible_facts.distribution_version is version("8.3", ">=") + +- name: Copy fapolicyd configuration file + template: + src: "{{ __fapolicyd_conf }}.j2" + dest: "{{ __fapolicyd_dir }}/{{ __fapolicyd_conf }}" + owner: root + group: fapolicyd + mode: '0644' + +- name: Run fapolicyd configuration check + command: fapolicyd-cli --check-config + check_mode: false + changed_when: false + when: ansible_facts.distribution_version is version("8.6", ">=") + +- name: Trustdb cleanup + command: fapolicyd-cli --file delete / + when: ansible_facts.distribution_version is version("8.3", ">=") + changed_when: true + failed_when: false + +- name: Add file to trustdb + command: fapolicyd-cli --file add {{ item | quote }} + loop: "{{ (fapolicyd_add_trusted_file is string) | + ternary([fapolicyd_add_trusted_file], fapolicyd_add_trusted_file) }}" + when: + - fapolicyd_add_trusted_file | length > 0 + - ansible_facts.distribution_version is version("8.3", ">=") + changed_when: true + +- name: Start fapolicyd service + service: + name: "{{ __fapolicyd_services }}" + state: restarted + enabled: true + ignore_errors: true + register: __fapolicyd_restart + +- name: Check fapolicyd logs + command: journalctl -n5 -u "{{ __fapolicyd_services }}" + register: __fapolicyd_results + changed_when: false + when: __fapolicyd_restart is failed + +- name: Making sure fapolicyd does not run if it was set so + service: + name: "{{ __fapolicyd_services }}" + state: stopped + enabled: false + when: not fapolicyd_setup_enable_service + +- name: Print fapolicyd logs + debug: + msg: "{{ __fapolicyd_results.stdout_lines }}" + failed_when: true when: - - ansible_facts.distribution_version is version("8.1", ">=") + - __fapolicyd_restart is failed + - __fapolicyd_results.stdout_lines is defined