Skip to content

Commit

Permalink
Other enhancements
Browse files Browse the repository at this point in the history
Signed-off-by: Radovan Sroka <[email protected]>
  • Loading branch information
radosroka committed Nov 8, 2023
1 parent b1e2b9c commit dedf57d
Show file tree
Hide file tree
Showing 6 changed files with 56 additions and 29 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ Default `[]` - it can take list of files that will be marked as trusted.

```
---
- name: Example template role invocation
- name: Example fapolicyd role invocation
hosts: all
vars:
fapolicyd_setup_enable_service: true
Expand Down
8 changes: 4 additions & 4 deletions contributing.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Contributing to the template Linux System Role
Contributing to the fapolicyd Linux System Role
==============================================

Where to start
Expand All @@ -14,11 +14,11 @@ This has all of the common information that all role developers need:
* How to create git commits and submit pull requests

**Bugs and needed implementations** are listed on
[Github Issues](https://github.com/linux-system-roles/template/issues).
[Github Issues](https://github.com/linux-system-roles/fapolicyd/issues).
Issues labeled with
[**help wanted**](https://github.com/linux-system-roles/template/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
[**help wanted**](https://github.com/linux-system-roles/fapolicyd/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
are likely to be suitable for new contributors!

**Code** is managed on [Github](https://github.com/linux-system-roles/template), using
**Code** is managed on [Github](https://github.com/linux-system-roles/fapolicyd), using
[Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).

10 changes: 6 additions & 4 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,17 @@
fapolicyd_setup_enable_service: false

# trust list for fapolicyd configuration file
fapolicyd_setup_trust: ""
# default "rpmdb,file"
fapolicyd_setup_trust: null

# set integrity
# can be none, size, sha256, ima
# default "none"
# can be "none", "size", "sha256", "ima"
# in case of ima, kernel's IMA has to be setup correctly
fapolicyd_setup_integrity: ""
fapolicyd_setup_integrity: null

# set permissive mode
fapolicyd_setup_permissive: false

# fapolicyd trust file managament
fapolicyd_add_trusted_file: ""
fapolicyd_add_trusted_file: null
21 changes: 21 additions & 0 deletions meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# SPDX-License-Identifier: MIT

Check failure on line 1 in meta/main.yml

View workflow job for this annotation

GitHub Actions / ansible_lint

schema[meta]

{'name': 'EL', 'versions': [8, 9]} is not valid under any of the given schemas
---
galaxy_info:
author: Radovan Sroka <[email protected]>
description: Fapolicyd system role
company: Red Hat Inc.
license: MIT

min_ansible_version: "2.9"
platforms:
- name: Fedora
versions:
- all
- name: EL
versions:
- 8
- 9

galaxy_tags: []

dependencies: []
34 changes: 19 additions & 15 deletions tasks/enable.yml
Original file line number Diff line number Diff line change
@@ -1,49 +1,53 @@
---
- name: Check trust compatibility
fail:
msg: Fapolicyd does not support trust setting fapolicyd_setup_trust
msg: >-
Fapolicyd does not support trust setting fapolicyd_setup_trust on EL
version < 8.3
ignore_errors: true
when:
- fapolicyd_setup_trust | length > 0
- fapolicyd_setup_trust is not none
- ansible_facts.distribution_version is version("8.2", "<=")
register: __failed_check_trust

- name: Check integrity compatibility
fail:
msg: Fapolicyd does not support integrity setting fapolicyd_setup_integrity
msg: >-
Fapolicyd does not support integrity setting fapolicyd_setup_integrity on EL

Check failure on line 16 in tasks/enable.yml

View workflow job for this annotation

GitHub Actions / ansible_lint

yaml[line-length]

Line too long (82 > 80 characters)
version < 8.4
ignore_errors: true
when:
- fapolicyd_setup_integrity | length > 0
- fapolicyd_setup_integrity is not none
- ansible_facts.distribution_version is version("8.3", "<=")
register: __failed_check_integrity

- name: Check trust files compatibility
fail:
msg: >-
Fapolicyd does not support trust files setting fapolicyd_add_trusted_file
Fapolicyd does not support trust files setting fapolicyd_add_trusted_file on EL

Check failure on line 27 in tasks/enable.yml

View workflow job for this annotation

GitHub Actions / ansible_lint

yaml[line-length]

Line too long (85 > 80 characters)
version < 8.4
ignore_errors: true
when:
- fapolicyd_add_trusted_file | length > 0
- fapolicyd_add_trusted_file is not none
- ansible_facts.distribution_version is version("8.3", "<=")
register: __failed_check_trusted_file

- name: Check failed conditions
fail:
msg: Multiple failed conditions
# failed_when: true
when: __failed_check_trust is failed or __failed_check_integrity is failed or
__failed_check_trusted_file is failed

- name: Install fapolicyd packages
package:
name:
- fapolicyd
- "{{ __fapolicyd_packages }}"
state: present

- name: Install fapolicyd-selinux packages
package:
name:
- fapolicyd-selinux
- "{{ __fapolicyd_selinux_packages }}"
state: present
when: ansible_facts.distribution_version is version("8.3", ">=")

Expand All @@ -63,34 +67,34 @@

- name: Trustdb cleanup
command: fapolicyd-cli --file delete /
when: fapolicyd_add_trusted_file | length > 0
when: fapolicyd_add_trusted_file is not none
changed_when: true
failed_when: false

- name: Add file to trustdb
command: fapolicyd-cli --file add {{ item | quote }}
loop: "{{ (fapolicyd_add_trusted_file is string) |
ternary([fapolicyd_add_trusted_file], fapolicyd_add_trusted_file) }}"
when: fapolicyd_add_trusted_file | length > 0
when: fapolicyd_add_trusted_file is not none
changed_when: true

- name: Start fapolicyd service
service:
name: fapolicyd
name: "{{ __fapolicyd_services }}"
state: restarted
enabled: true
ignore_errors: true
register: __fapolicyd_restart

- name: Check fapolicyd logs
command: journalctl -n5 -u {{ __fapolicyd_services }}
register: __results
register: __fapolicyd_results
changed_when: false
when: __fapolicyd_restart is failed

- name: Making sure fapolicyd does not run if it was set so
service:
name: fapolicyd
name: "{{ __fapolicyd_services }}"
state: stopped
enabled: false
when: not fapolicyd_setup_enable_service
Expand All @@ -101,4 +105,4 @@
failed_when: true
when:
- __fapolicyd_restart is failed
- __results.stdout_lines
- __fapolicyd_results.stdout_lines
10 changes: 5 additions & 5 deletions templates/fapolicyd.conf.j2
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ ansible_managed | comment }}
{{ ansible_managed | comment }}
{{ "system_role:fapolicyd" | comment(prefix="", postfix="") }}
#
# This file controls the configuration of the file access policy daemon.
Expand All @@ -19,18 +19,18 @@ obj_cache_size = 8191
watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660,btrfs
{% endif %}

{% if fapolicyd_setup_trust | length > 0
{% if fapolicyd_setup_trust is not none
or ansible_facts.distribution_version is version("8.3", ">=") %}
trust = {{ (fapolicyd_setup_trust | length > 0) | ternary(fapolicyd_setup_trust, "rpmdb,file") }}
trust = {{ (fapolicyd_setup_trust is not none) | ternary(fapolicyd_setup_trust, "rpmdb,file") }}
{% endif %}

{% if ansible_facts.distribution_version is version("8.3", ">=") %}
syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust
{% endif %}

{% if fapolicyd_setup_integrity | length > 0
{% if fapolicyd_setup_integrity is not none
or ansible_facts.distribution_version is version("8.4", ">=") %}
integrity = {{ (fapolicyd_setup_integrity | length > 0) | ternary(fapolicyd_setup_integrity, "none") }}
integrity = {{ (fapolicyd_setup_integrity is not none) | ternary(fapolicyd_setup_integrity, "none") }}
{% endif %}

#rpm_sha256_only = 0
Expand Down

0 comments on commit dedf57d

Please sign in to comment.