Streamline configuring SELinux (#504)

nginxinc · Apr 4, 2022 · 2b1aeba · 2b1aeba
1 parent e0efc7a
commit 2b1aeba
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 33 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,8 @@ FEATURES:
 
 ENHANCEMENTS:
 
-Bump the Ansible `community.general` collection to `4.6.1` and `community.docker` collection to `2.2.1`.
+* Bump the Ansible `community.general` collection to `4.6.1` and `community.docker` collection to `2.2.1`.
+* Streamline configuring SELinux.
 
 BUG FIXES:
 

diff --git a/defaults/main/selinux.yml b/defaults/main/selinux.yml
@@ -3,8 +3,8 @@
 nginx_selinux: false
 
 # Enable enforcing mode if true.  Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true)
-
 nginx_selinux_enforcing: true
+
 # List of TCP ports to add to http_port_t type (80 and 443 have this type already)
 # nginx_selinux_tcp_ports:
 #   - 80
@@ -14,5 +14,6 @@ nginx_selinux_enforcing: true
 # nginx_selinux_udp_ports:
 #   - 80
 #   - 443
+
 # Temporary directory to hold selinux modules
 nginx_selinux_tempdir: /tmp
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -22,10 +22,6 @@
         nginx_version: "{{ version }}"
         nginx_service_modify: true
         nginx_service_timeout: 95
-        nginx_selinux: true
-        nginx_selinux_tcp_ports:
-          - 80
-          - 443
         nginx_logrotate_conf_enable: true
         nginx_logrotate_conf:
           paths:

diff --git a/tasks/prerequisites/setup-selinux.yml b/tasks/prerequisites/setup-selinux.yml
@@ -1,38 +1,25 @@
 ---
 - name: (CentOS/RHEL) Install dependencies
-  block:
-    - name: (CentOS/RHEL 7) Install dependencies
-      ansible.builtin.yum:
-        name:
-          - policycoreutils-python
-          - setools
-      when: ansible_facts['distribution_major_version'] is version('8', '!=')
-
-    - name: (RHEL 8) Install dependencies
-      ansible.builtin.yum:
-        name:
-          - libselinux-utils
-          - policycoreutils
-          - selinux-policy-targeted
-      when: ansible_facts['distribution_major_version'] is version('8', '==')
+  ansible.builtin.yum:
+    name:
+      - libselinux-utils
+      - policycoreutils
+      - selinux-policy-targeted
   when: ansible_facts['os_family'] == "RedHat"
 
 - name: Set SELinux mode to permissive
-  ansible.builtin.selinux:
+  ansible.posix.selinux:
     state: permissive
     policy: targeted
 
 - name: Allow SELinux HTTP network connections
-  ansible.builtin.seboolean:
-    name: httpd_can_network_connect
-    state: true
-    persistent: true
-
-- name: Allow SELinux HTTP network connections
-  ansible.builtin.seboolean:
-    name: httpd_can_network_relay
+  ansible.posix.seboolean:
+    name: "{{ item }}"
     state: true
     persistent: true
+  loop:
+    - httpd_can_network_connect
+    - httpd_can_network_relay
 
 - name: Allow SELinux TCP connections on specific ports
   community.general.seport:
@@ -75,7 +62,7 @@
   when: nginx_selinux_module.changed | bool
 
 - name: Set SELinux mode to enforcing
-  ansible.builtin.selinux:
+  ansible.posix.selinux:
     state: enforcing
     policy: targeted
   when: nginx_selinux_enforcing | bool
diff --git a/templates/selinux/nginx-plus-module.te.j2 b/templates/selinux/nginx-plus-module.te.j2
@@ -13,8 +13,6 @@ require {
 
 #============= httpd_t ==============
 allow httpd_t http_cache_port_t:tcp_socket name_connect;
-
 allow httpd_t initrc_t:unix_stream_socket connectto;
-
 allow httpd_t usr_t:file { create write };
 allow httpd_t usr_t:sock_file write;