Selinux playbook

[sbesson]

Fixes #15

Rather than forcing the command discuseed in the issue in consumer playbook, this PR adds a new playbook to be executed in the case of SELinux-hardened systems.

The logic for detecting SELinux enforcement was copied from openmicroscopy.selinux_utils and might be dropped with the same caveats.

Proposing this as a bugfix i.e. 2.0.2 although could equally be treated as 2.1.0. Arguably could be tested as part of the upgrade of Dundee production systems where SELinux is enabled.

[kennethgillen]

Is the aim here to run this after a broken production playbook/upgrade?

Does it also need an audit2allow as I normally run to fix this, e.g. in the description of #15

The full production playbook may need re-run if the playbook fails on a "start OMERO.web" step due to this issue, e.g. to configure custom redirects (pub-omero) or deploy the SSL directives.

[manics]

You don't need to copy the selinux role, it sets a variable you can test later: https://github.com/openmicroscopy/ansible-role-omero-web/blob/2.0.1/tasks/web-dependencies.yml#L24

Can you also check it doesn't break the CentOS7 vagrant molecule test, since last time I tried it this fix wasn't necessary?

[sbesson]

Re #19 (comment), my expectation is to get this role to work under all circumstances i.e. preventing the situation of broken upgrades.
Re audit2allow, I thought this only used for generating an audit of the issue but the restorecon was sufficient.

I had not realized this role already depended on selinux-utils, I can certainly try and consume the variable and do some minimal testing on Vagrant.

[kennethgillen]

I was under the impression audit2allow created a set of rules that allowed the blocked access, but I'm no expert by any means. cf https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow

[manics]

#15 (comment)
has the commands for displaying the rules with audit2allow but not the commands for enabling those rules, is it just missing from the description?

[kennethgillen]

@manics - no, all I run is what's in that comment:

audit2why < /var/log/audit/audit.log
audit2allow < /var/log/audit/audit.log
restorecon -R -v /opt/omero/web/OMERO.web

Is audit2allowdoing nothing, and restorecon is all that's necessary?

[snoopycrimecop]

Conflicting PR. Removed from build ANSIBLE-merge#466. See the console output for more details.
Possible conflicts:

• PR Ensure config is flushed and systemd is setup before nginx #18 manics 'Ensure config is flushed and systemd is setup before nginx'
  • tasks/main.yml

--conflicts

[kennethgillen]

@manics - are you sure audit2allow is not doing anything?

#19 (comment) are the three commands I run each time to fix this.

[manics]

audit2allow generates a policy but doesn't apply it https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow

[snoopycrimecop]

Conflicting PR. Removed from build ANSIBLE-merge#498. See the console output for more details.
Possible conflicts:

• PR Ensure config is flushed and systemd is setup before nginx #18 manics 'Ensure config is flushed and systemd is setup before nginx'
  • tasks/main.yml

--conflicts

[sbesson]

Now superseded by #21