diff --git a/README.md b/README.md index 014e761..00ef27e 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ Default `[]` - it can take list of files that will be marked as trusted. ``` --- -- name: Example template role invocation +- name: Example fapolicyd role invocation hosts: all vars: fapolicyd_setup_enable_service: true diff --git a/contributing.md b/contributing.md index bff4b01..2b61630 100644 --- a/contributing.md +++ b/contributing.md @@ -1,4 +1,4 @@ -Contributing to the template Linux System Role +Contributing to the fapolicyd Linux System Role ============================================== Where to start @@ -14,11 +14,11 @@ This has all of the common information that all role developers need: * How to create git commits and submit pull requests **Bugs and needed implementations** are listed on -[Github Issues](https://github.com/linux-system-roles/template/issues). +[Github Issues](https://github.com/linux-system-roles/fapolicyd/issues). Issues labeled with -[**help wanted**](https://github.com/linux-system-roles/template/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) +[**help wanted**](https://github.com/linux-system-roles/fapolicyd/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) are likely to be suitable for new contributors! -**Code** is managed on [Github](https://github.com/linux-system-roles/template), using +**Code** is managed on [Github](https://github.com/linux-system-roles/fapolicyd), using [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests). diff --git a/defaults/main.yml b/defaults/main.yml index 1c911bd..b6813a9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,15 +7,17 @@ fapolicyd_setup_enable_service: false # trust list for fapolicyd configuration file -fapolicyd_setup_trust: "" +# default "rpmdb,file" +fapolicyd_setup_trust: null # set integrity -# can be none, size, sha256, ima +# default "none" +# can be "none", "size", "sha256", "ima" # in case of ima, kernel's IMA has to be setup correctly -fapolicyd_setup_integrity: "" +fapolicyd_setup_integrity: null # set permissive mode fapolicyd_setup_permissive: false # fapolicyd trust file managament -fapolicyd_add_trusted_file: "" +fapolicyd_add_trusted_file: null diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..ebcb0d1 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: MIT +--- +galaxy_info: + author: Radovan Sroka + description: Fapolicyd system role + company: Red Hat Inc. + license: MIT + + min_ansible_version: "2.9" + platforms: + - name: Fedora + versions: + - all + - name: EL + versions: + - "8" + - "9" + + galaxy_tags: [] + +dependencies: [] diff --git a/tasks/enable.yml b/tasks/enable.yml index 80cb191..eaaf2fc 100644 --- a/tasks/enable.yml +++ b/tasks/enable.yml @@ -1,19 +1,23 @@ --- - name: Check trust compatibility fail: - msg: Fapolicyd does not support trust setting fapolicyd_setup_trust + msg: >- + Fapolicyd does not support trust setting fapolicyd_setup_trust + on EL version < 8.3 ignore_errors: true when: - - fapolicyd_setup_trust | length > 0 + - fapolicyd_setup_trust is not none - ansible_facts.distribution_version is version("8.2", "<=") register: __failed_check_trust - name: Check integrity compatibility fail: - msg: Fapolicyd does not support integrity setting fapolicyd_setup_integrity + msg: >- + Fapolicyd does not support integrity setting fapolicyd_setup_integrity + on EL version < 8.4 ignore_errors: true when: - - fapolicyd_setup_integrity | length > 0 + - fapolicyd_setup_integrity is not none - ansible_facts.distribution_version is version("8.3", "<=") register: __failed_check_integrity @@ -21,29 +25,29 @@ fail: msg: >- Fapolicyd does not support trust files setting fapolicyd_add_trusted_file + on EL version < 8.4 ignore_errors: true when: - - fapolicyd_add_trusted_file | length > 0 + - fapolicyd_add_trusted_file is not none - ansible_facts.distribution_version is version("8.3", "<=") register: __failed_check_trusted_file - name: Check failed conditions fail: msg: Multiple failed conditions - # failed_when: true when: __failed_check_trust is failed or __failed_check_integrity is failed or __failed_check_trusted_file is failed - name: Install fapolicyd packages package: name: - - fapolicyd + - "{{ __fapolicyd_packages }}" state: present - name: Install fapolicyd-selinux packages package: name: - - fapolicyd-selinux + - "{{ __fapolicyd_selinux_packages }}" state: present when: ansible_facts.distribution_version is version("8.3", ">=") @@ -63,7 +67,7 @@ - name: Trustdb cleanup command: fapolicyd-cli --file delete / - when: fapolicyd_add_trusted_file | length > 0 + when: fapolicyd_add_trusted_file is not none changed_when: true failed_when: false @@ -71,12 +75,12 @@ command: fapolicyd-cli --file add {{ item | quote }} loop: "{{ (fapolicyd_add_trusted_file is string) | ternary([fapolicyd_add_trusted_file], fapolicyd_add_trusted_file) }}" - when: fapolicyd_add_trusted_file | length > 0 + when: fapolicyd_add_trusted_file is not none changed_when: true - name: Start fapolicyd service service: - name: fapolicyd + name: "{{ __fapolicyd_services }}" state: restarted enabled: true ignore_errors: true @@ -84,21 +88,21 @@ - name: Check fapolicyd logs command: journalctl -n5 -u {{ __fapolicyd_services }} - register: __results + register: __fapolicyd_results changed_when: false when: __fapolicyd_restart is failed - name: Making sure fapolicyd does not run if it was set so service: - name: fapolicyd + name: "{{ __fapolicyd_services }}" state: stopped enabled: false when: not fapolicyd_setup_enable_service - name: Print fapolicyd logs debug: - msg: "{{ __results.stdout_lines }}" + msg: "{{ __fapolicyd_results.stdout_lines }}" failed_when: true when: - __fapolicyd_restart is failed - - __results.stdout_lines + - __fapolicyd_results.stdout_lines diff --git a/templates/fapolicyd.conf.j2 b/templates/fapolicyd.conf.j2 index a63b7d8..368ac85 100644 --- a/templates/fapolicyd.conf.j2 +++ b/templates/fapolicyd.conf.j2 @@ -1,4 +1,4 @@ -{ ansible_managed | comment }} +{{ ansible_managed | comment }} {{ "system_role:fapolicyd" | comment(prefix="", postfix="") }} # # This file controls the configuration of the file access policy daemon. @@ -19,18 +19,18 @@ obj_cache_size = 8191 watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660,btrfs {% endif %} -{% if fapolicyd_setup_trust | length > 0 +{% if fapolicyd_setup_trust is not none or ansible_facts.distribution_version is version("8.3", ">=") %} -trust = {{ (fapolicyd_setup_trust | length > 0) | ternary(fapolicyd_setup_trust, "rpmdb,file") }} +trust = {{ (fapolicyd_setup_trust is not none) | ternary(fapolicyd_setup_trust, "rpmdb,file") }} {% endif %} {% if ansible_facts.distribution_version is version("8.3", ">=") %} syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust {% endif %} -{% if fapolicyd_setup_integrity | length > 0 +{% if fapolicyd_setup_integrity is not none or ansible_facts.distribution_version is version("8.4", ">=") %} -integrity = {{ (fapolicyd_setup_integrity | length > 0) | ternary(fapolicyd_setup_integrity, "none") }} +integrity = {{ (fapolicyd_setup_integrity is not none) | ternary(fapolicyd_setup_integrity, "none") }} {% endif %} #rpm_sha256_only = 0 diff --git a/vars/main.yml b/vars/main.yml index 3b45d4d..16bf6b6 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,8 +10,8 @@ __fapolicyd_services: fapolicyd.service __fapolicyd_dir: /etc/fapolicyd __fapolicyd_conf: fapolicyd.conf -__fapolicyd_packages: [fapolicyd] -__fapolicyd_selinux_packages: [fapolicyd-selinux] +__fapolicyd_packages: fapolicyd +__fapolicyd_selinux_packages: fapolicyd-selinux # ansible_facts required by the role __template_required_facts: