Add SELinux policy writing workshop (#1329)

J. Alexander Jacocks

2020-03-13 5b66061e9224fef019f472ad1846068a25f2f146

Add SELinux policy writing workshop (#1329)

The contains ansible playbooks to provide necessary files to run
SELinux policy writing workshop.

Co-authored-by: Lukas Vrabec <lvrabec@redhat.com>

 ansible/configs/selinux-policy/README.md

New file
@@ -0,0 +1,42 @@
# Simple example

A simple deplyoment creating a bastion host and two worker nodes. It can't get simpler ...

### Environment variables

Deployment is controlled by two configuration files: 

* env_vars.yml
* sample_vars.yml

`env_vars.yml` defines all configuration parameters that COULD be modified, whereas `sample_vars.yml` is a *template* for all environment specific values that HAVE to be changed.

Start by creating a copy of `sample_vars.yml` and rename it (e.g. `my_sample_vars.yml`). Then modifiy all parameters to match your environment.

#### Secrets

Some deployments need **secrets** e.g. your AWS credentials or API tokens. 

DO NOT add these to git !

Instead create a file called e.g. `./ansible/my_secret_vars.yml` and store all secrets etc. there. This file can also be reused for other deplyoments.

NOTE:  

Both `my_sample_vars.yml` `my_secret.vars.yml` are in the `.gitignore` configuration which SHOULD protect you from adding them to git!

### Run the Ansible playbooks

Run follwoing commands from the `./ansible` folder:

#### Install

```shell
ansible-playbook main.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml
```

#### Uninstall

```shell
ansible-playbook destroy.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml
```

 ansible/configs/selinux-policy/destroy_env.yml

New file
@@ -0,0 +1,39 @@
---
- name: Build inventory
  hosts: localhost
  connection: local
  gather_facts: False
  become: no
  tasks:
    - when: cloud_provider == 'ec2'
      block:
      - name: Run infra-ec2-create-inventory Role
        include_role:
          name: infra-ec2-create-inventory

      - name: Run Common SSH Config Generator Role
        include_role:
          name: infra-common-ssh-config-generate
        when: "'bastions' in groups"

- name: Set ssh config
  hosts: all
  gather_facts: false
  become: no
  tasks:
    - name: Set facts for remote access
      set_fact:
        ansible_ssh_extra_args: >-
          {{ ansible_ssh_extra_args|d() }}
          -F {{hostvars.localhost.output_dir}}/{{ env_type }}_{{ guid }}_ssh_conf

- name: Unsubscribe systems
  hosts: all
  become: true
  gather_facts: false
  ignore_errors: true
  tasks:
    - shell: "subscription-manager unsubscribe --all"

- name: Import default destroy playbook
  import_playbook: ../../cloud_providers/{{cloud_provider}}_destroy_env.yml

 ansible/configs/selinux-policy/env_vars.yml

New file
@@ -0,0 +1,153 @@

bastion_instance_type:
  ec2: "t2.medium"
  azure: Standard_A2_V2

bastion_instance_image: RHEL75

node_instance_type:
  ec2: "t2.medium"
  azure: Standard_A2_V2

node_instance_image: RHEL75

# How many do you want for each instance type
node_instance_count: 0

# Environment Instances
instances:
  - name: "bastion"
    count: 1
    unique: true
    public_dns: true
    dns_loadbalancer: false
    image: "{{ bastion_instance_image }}"
    flavor:
      ec2: "t2.medium"
      azure: Standard_A2_V2
    tags:
      - key: "AnsibleGroup"
        value: "bastions"
      - key: "ostype"
        value: "linux"
      - key: "instance_filter"
        value: "{{ env_type }}-{{ email }}"
    volumes:
      - name: '/dev/sda1'
        size: 20
    security_groups:
      - "BastionSG"

  - name: "node"
    count: "{{node_instance_count}}"
    public_dns: true
    dns_loadbalancer: false
    image: "{{ node_instance_image }}"
    flavor:
      ec2: "t2.medium"
      azure: Standard_A2_V2
    tags:
      - key: "AnsibleGroup"
        value: "nodes"
      - key: "ostype"
        value: "linux"
      - key: "instance_filter"
        value: "{{ env_type }}-{{ email }}"


# DNS settings for environmnet
subdomain_base_short: "{{ guid }}"
subdomain_base_suffix: ".example.opentlc.com"
subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}"

zone_internal_dns: "{{guid}}.internal."
chomped_zone_internal_dns: "{{guid}}.internal"

# Stuff that only GPTE cares about:
install_ipa_client: false


repo_method: file
repo_version: "3.10"
# Do you want to run a full yum update
update_packages: false
common_packages:
  - python
  - unzip
  - bash-completion
  - tmux
  - wget
  - git
  - vim-enhanced
  - at

rhel_repos:
  - rhel-7-server-rpms
  - rhel-7-server-extras-rpms
  - epel-release-latest-7

###V2WORK, these should just be set as default listed in the documentation
install_bastion: true
install_common: true
## SB Don't set software_to_deploy from here, always use extra vars (-e) or "none" will be used
#software_to_deploy: none


## guid is the deployment unique identifier, it will be appended to all tags,
## files and anything that identifies this environment from another.
# Using GUID is required, if it is not passed in the command line or uncommented
# here the deployment will fail
#guid: defaultguid



###V2WORK, these should just be set as default listed in the documentation
# This is where the ssh_config file will be created, this file is used to
# define the communication method to all the hosts in the deployment
deploy_local_ssh_config_location: "{{output_dir}}/"


### If you want a Key Pair name created and injected into the hosts,
# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
# you can use the key used to create the environment or use your own self generated key
# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}})

###V2WORK, these should just be set as default listed in the documentation
use_own_key: true
env_authorized_key: "{{guid}}key"
set_env_authorized_key: true

################################################################################
################################################################################
### AWS EC2 Specific Variables
################################################################################
################################################################################

### Route 53 Zone ID (AWS)
# This is the Route53 HostedZoneId where you will create your Public DNS entries
# This only needs to be defined if your CF template uses route53
HostedZoneId: Z3IHLWJZOU9SRT
# The region to be used, if not specified by -e in the command line
aws_region: ap-southeast-2
# The key that is used to connect to the AWS instance initially, it should
# exist in your aws account and the private key should exist on the local machine
# you are provisioning from.
#key_name: "default_key_name"

###V2WORK THIS SHOULD MOVE INTO THE ROLE
# This var is used to identify stack (cloudformation, azure resourcegroup, ...)
project_tag: "{{ env_type }}-{{ guid }}"

################################################################################
################################################################################
### Azure Specific Variables
################################################################################
################################################################################
# Create a dedicated resourceGroup for this deployment
az_destroy_method: resource_group
az_resource_group: "{{ project_tag }}"

# you can operate differently: if you share on resourceGroup for all you deployments,
# you can specify a different resourceGroup and method:
#az_destroy_method: deployment
#az_resource_group: my-shared-resource-group

 ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2

New file
@@ -0,0 +1,428 @@
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters" : {
        "guid": {
            "type" : "string",
            "minLength" : 3,
            "metadata" : {
                "description" : "GUID of the environment"
            }
        },
        "DNSZone": {
            "type" : "string",
            "minLength" : 3,
            "metadata" : {
                "description" : "dns zone of the environment, to update or create"
            }
        },
        "adminUsername" : {
            "type" : "string",
            "minLength" : 1,
            "defaultValue" : "azure",
            "metadata" : {
                "description" : "User name for the Virtual Machine."
            }
        },
        "sshKeyData" : {
            "type" : "securestring",
            "metadata" : {
                "description" : "SSH RSA public key file as a string."
            }
        },
        "vmSize" : {
            "type" : "string",
            "defaultValue" : "Basic_A2",
            "allowedValues" : [
                "Basic_A2",
                "Standard_A2",
                "Standard_A3",
                "Standard_A4",
                "Standard_A5",
                "Standard_A6",
                "Standard_A7",
                "Standard_A8",
                "Standard_A9",
                "Standard_A10",
                "Standard_A11",
                "Standard_D2",
                "Standard_D3",
                "Standard_D4",
                "Standard_D11",
                "Standard_D12",
                "Standard_D13",
                "Standard_D14",
                "Standard_D2_v2",
                "Standard_D3_v2",
                "Standard_D4_v2",
                "Standard_D5_v2",
                "Standard_D11_v2",
                "Standard_D12_v2",
                "Standard_D13_v2",
                "Standard_D14_v2",
                "Standard_G1",
                "Standard_G2",
                "Standard_G3",
                "Standard_G4",
                "Standard_G5",
                "Standard_DS2",
                "Standard_DS3",
                "Standard_DS4",
                "Standard_DS11",
                "Standard_DS12",
                "Standard_DS13",
                "Standard_DS14",
                "Standard_DS2_v2",
                "Standard_DS3_v2",
                "Standard_DS4_v2",
                "Standard_DS5_v2",
                "Standard_DS11_v2",
                "Standard_DS12_v2",
                "Standard_DS13_v2",
                "Standard_DS14_v2",
                "Standard_GS1",
                "Standard_GS2",
                "Standard_GS3",
                "Standard_GS4",
                "Standard_GS5"
            ],
            "metadata" : {
                "description" : "The size of the each Node Virtual Machine."
            }
        }
    },
    "variables" : {
        "subzone": "[concat('{{guid}}.',parameters('DNSZone'))]",
        "location" : "[resourceGroup().location]",
        "virtualNetworkName" : "[concat('VNet', parameters('guid'))]",
        "addressPrefix" : "10.0.0.0/16",
        "vnetId" : "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
        "rhel" : {
            "publisher" : "Redhat",
            "offer" : "RHEL",
            "sku" : "7-RAW",
            "version" : "latest"
        },
        "tenantId" : "[subscription().tenantId]",
        "apiVersion" : "2015-06-15",
        "apiVersionCompute" : "2015-06-15",
        "apiVersionNetwork" : "2016-03-30",
        "tmApiVersion" : "2015-11-01",
        "apiVersionStorage" : "2015-06-15",
        "apiVersionLinkTemplate" : "2015-01-01",
        "nicName" : "OneVmNic",
        "publicIPAddressType" : "Dynamic",
        "subnetRef" : "[concat(variables('vnetID'),'/subnets/',variables('virtualNetworkName'))]",
        "sshKeyPath" : "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]",
        "sQuote" : "\"",
        "vmStorageAccountContainerName": "vhds",
        "storageAccountType": "Standard_LRS",
        "vhdStorageType" : "Premium_LRS",
        "storageAccountName": "[concat('vsts8',uniquestring(parameters('guid')))]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[variables('StorageAccountName')]",
            "apiVersion": "2016-01-01",
            "location": "[resourceGroup().location]",
            "sku": {
                "name": "[variables('storageAccountType')]"
            },
            "kind": "Storage",
            "properties": {
            }
        },
{% for instance in instances %}

{% if instance['dns_loadbalancer']|d(false)|bool and not instance['unique']|d(false)|bool %}
        {
            "type": "Microsoft.Network/dnszones/a",
            "name": "[concat(variables('subzone'), '/', '{{instance['name']}}')]",
            "apiVersion": "2016-04-01",
            "dependsOn": [
{% for c in range(1,(instance['count'] |int)+1) %}
  {% if instance['unique']|d(false)|bool %}
    {% set instancename = instance['name'] %}
    {% else %}
    {% set instancename = instance['name'] + (loop.index|string) %}
  {% endif %}
                "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]",
{% endfor %}
                "[resourceId('Microsoft.Network/dnsZones/', variables('subzone'))]",
            ],
            "properties": {
                "TTL": 3600,
                "ARecords": [
                    {
{% for c in range(1,(instance['count'] |int)+1) %}
  {% if instance['unique']|d(false)|bool %}
    {% set instancename = instance['name'] %}
    {% else %}
    {% set instancename = instance['name'] + (loop.index|string) %}
  {% endif %}
                        "ipv4Address": "[reference('{{instancename}}-PublicIP').ipAddress]"
{% endfor %}
                    }
                ]
            }
        },
{% endif %}


{% for c in range(1,(instance['count'] |int)+1) %}

  {% if instance['unique']|d(false)|bool %}
    {% set instancename = instance['name'] %}
    {% else %}
    {% set instancename = instance['name'] + (loop.index|string) %}
  {% endif %}

{% if instance['public_dns']|d(false)|bool %}
        {
            "type": "Microsoft.Network/dnszones/a",
            "name": "[concat(variables('subzone'), '/', '{{instancename}}')]",
            "apiVersion": "2016-04-01",
            "dependsOn": [
                "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]",
                "[resourceId('Microsoft.Network/dnsZones/', variables('subzone'))]",
            ],
            "properties": {
                "TTL": 3600,
                "ARecords": [
                    {
                        "ipv4Address": "[reference('{{instancename}}-PublicIP').ipAddress]"
                    }
                ]
            }
        },
        {
            "apiVersion" : "2017-04-01",
            "type" : "Microsoft.Network/publicIPAddresses",
            "name" : "{{instancename}}-PublicIP",
            "location" : "[resourceGroup().location]",
            "properties" : {
                "publicIPAllocationMethod" : "Static",
                "dnsSettings" : {
                    "domainNameLabel" : "{{instancename}}-{{guid}}"
                }
            }
        },
        {
            "apiVersion" : "2017-04-01",
            "type" : "Microsoft.Network/networkInterfaces",
            "name" : "{{instancename}}-Interface",
            "location" : "[resourceGroup().location]",
            "dependsOn" : [
                "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]",
                "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"
            ],
            "properties" : {
                "ipConfigurations" : [
                    {
                        "name" : "ipconfig1",
                        "properties" : {
                            "privateIPAllocationMethod" : "Dynamic",
                            "publicIPAddress" : {
                                "id" : "[resourceId('Microsoft.Network/publicIPAddresses','{{instancename}}-PublicIP')]"
                            },
                            "subnet" : {
                                "id" : "[variables('subnetRef')]"
                            }
                        }
                    }
                ]
            }
        },
{% endif %}
        {
            "apiVersion" : "2017-03-30",
            "type" : "Microsoft.Compute/virtualMachines",
            "name" : "{{instancename}}",
            "location" : "[resourceGroup().location]",
            "dependsOn" : [
                "[resourceId('Microsoft.Network/networkInterfaces/', '{{instancename}}-Interface')]"
            ],
            "tags": {
                "Name": "{{instancename}}",
                "internaldns": "{{instancename}}.{{chomped_zone_internal_dns}}",
                "owner": "{{ email | default('unknownuser') }}",
                "Project": "{{project_tag}}",
{% for tag in instance['tags'] %}
                "{{tag['key']}}": "{{tag['value']}}",
{% endfor %}
                "{{project_tag}}": "{{ instance['name'] }}"
            },
            "properties" : {
                "hardwareProfile" : {
                    "vmSize" : "{{instance['flavor'][cloud_provider]}}"
                },
                "osProfile" : {
                    "computerName" : "{{instancename}}",
                    "adminUsername" : "[parameters('adminUsername')]",
                    "linuxConfiguration" : {
                        "disablePasswordAuthentication" : "true",
                        "ssh" : {
                            "publicKeys" : [
                                {
                                    "path" : "[variables('sshKeyPath')]",
                                    "keyData" : "[parameters('sshKeyData')]"
                                }
                            ]
                        }
                    }
                },
                "storageProfile" : {
                    "imageReference" : "[variables('rhel')]",
                    "osDisk" : {
                        "caching" : "ReadWrite",
                        "name" : "{{instancename}}-osdisk",
                        "createOption" : "FromImage",
                        "diskSizeGB" : "{{instance['rootfs_size']|d('50')}}"
                    },
                    "dataDisks" : [
{% for vol in instance['volumes']|default([]) %}
                        {
                            "caching" : "None",
                            "createOption" : "Empty",
                            "lun" : "{{loop.index}}",
                            "name": "{{instancename}}-{{vol['device_name']}}",
                            "diskSizeGB" : "{{vol['volume_size']}}"
                        },
{% endfor %}
                    ]
                },
                "networkProfile" : {
                    "networkInterfaces" : [
                        {
                            "id" : "[resourceId('Microsoft.Network/networkInterfaces','{{instancename}}-Interface')]"
                        }
                    ]
                },
                "diagnosticsProfile" : {
                    "bootDiagnostics" : {
                        "enabled" : "false",
                        "storageUri" : "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
                    }
                }
            }
        },
{% endfor %}
{% endfor %}
        {
            "name": "[variables('subzone')]",
            "type": "Microsoft.Network/dnsZones",
            "apiVersion": "2017-09-01",
            "location" : "global",
        },
        {
            "apiVersion": "2017-05-10",
            "name": "nestedTemplate",
            "type": "Microsoft.Resources/deployments",
            "resourceGroup": "dns",
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {},
                    "variables": {},
                    "resources": [
                    ]
                },
                "parameters": {}
            }
        },
        {
            "apiVersion" : "[variables('apiVersion')]",
            "type" : "Microsoft.Network/virtualNetworks",
            "name" : "[variables('virtualNetworkName')]",
            "location" : "[variables('location')]",
            "tags" : {
                "displayName" : "VirtualNetwork"
            },
            "properties" : {
                "addressSpace" : {
                    "addressPrefixes" : [
                        "[variables('addressPrefix')]"
                    ]
                },
                "subnets" : [
                    {
                        "name" : "[variables('virtualNetworkName')]",
                        "properties" : {
                            "addressPrefix" : "[variables('addressPrefix')]"
                        }
                    }
                ]
            }
        },
        {
            "type" : "Microsoft.Network/networkSecurityGroups",
            "name" : "[concat(resourceGroup().name, 'nsg')]",
            "tags" : {
                "displayName" : "NetworkSecurityGroup"
            },
            "apiVersion" : "[variables('apiVersion')]",
            "location" : "[resourceGroup().location]",
            "properties" : {
                "securityRules" : [
                    {
                        "name" : "default-allow-openshift-router-https",
                        "properties" : {
                            "protocol" : "Tcp",
                            "sourcePortRange" : "*",
                            "destinationPortRange" : "443",
                            "sourceAddressPrefix" : "*",
                            "destinationAddressPrefix" : "*",
                            "access" : "Allow",
                            "priority" : 2000,
                            "direction" : "Inbound"
                        }
                    },
                    {
                        "name" : "default-allow-openshift-router-http\n",
                        "properties" : {
                            "protocol" : "Tcp",
                            "sourcePortRange" : "*",
                            "destinationPortRange" : "80",
                            "sourceAddressPrefix" : "*",
                            "destinationAddressPrefix" : "*",
                            "access" : "Allow",
                            "priority" : 2001,
                            "direction" : "Inbound"
                        }
                    },
                    {
                        "name" : "default-allow-openshift-master",
                        "properties" : {
                            "protocol" : "Tcp",
                            "sourcePortRange" : "*",
                            "destinationPortRange" : "8443",
                            "sourceAddressPrefix" : "*",
                            "destinationAddressPrefix" : "*",
                            "access" : "Allow",
                            "priority" : 2002,
                            "direction" : "Inbound"
                        }
                    },
                    {
                        "name" : "default-allow-ssh",
                        "properties" : {
                            "protocol" : "Tcp",
                            "sourcePortRange" : "*",
                            "destinationPortRange" : "22",
                            "sourceAddressPrefix" : "*",
                            "destinationAddressPrefix" : "*",
                            "access" : "Allow",
                            "priority" : 2003,
                            "direction" : "Inbound"
                        }
                    }
                ]
            }
        }
    ],
    "outputs" : {
    }
}

 ansible/configs/selinux-policy/files/hosts_template.j2

New file
@@ -0,0 +1,15 @@
[all:vars]
###########################################################################
### Ansible Vars
###########################################################################
timeout=60
ansible_become=yes
ansible_user={{remote_user}}
ansible_ssh_private_key_file="~/.ssh/{{guid}}key.pem"
ansible_ssh_common_args="-o StrictHostKeyChecking=no"

[nodes]
## These are the frontends
{% for host in groups['nodes']|d([]) %}
node{{loop.index}}.{{chomped_zone_internal_dns}} ansible_ssh_host=frontend{{loop.index}}.{{subdomain_base}}
{% endfor %}

 ansible/configs/selinux-policy/files/repos_template.j2

New file
@@ -0,0 +1,32 @@
[rhel-7-server-rpms]
name=Red Hat Enterprise Linux 7
baseurl={{own_repo_path}}/rhel-7-server-rpms
enabled=1
gpgcheck=0

[rhel-7-server-rh-common-rpms]
name=Red Hat Enterprise Linux 7 Common
baseurl={{own_repo_path}}/rhel-7-server-rh-common-rpms
enabled=1
gpgcheck=0

[rhel-7-server-extras-rpms]
name=Red Hat Enterprise Linux 7 Extras
baseurl={{own_repo_path}}/rhel-7-server-extras-rpms
enabled=1
gpgcheck=0

[rhel-7-server-optional-rpms]
name=Red Hat Enterprise Linux 7 Optional
baseurl={{own_repo_path}}/rhel-7-server-optional-rpms
enabled=1
gpgcheck=0

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
mirrorlist=http://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=0
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

 ansible/configs/selinux-policy/post_infra.yml

New file
@@ -0,0 +1,8 @@

- name: Step 002 Post Infrastructure
  hosts: localhost
  gather_facts: false
  become: false
  tasks:
    - debug:
        msg: "Step 002 Post Infrastructure"

 ansible/configs/selinux-policy/post_software.yml

New file
@@ -0,0 +1,19 @@

- name: Step 005 Post Software
  hosts: localhost
  gather_facts: false
  become: false
  tasks:
    - debug:
        msg: "Step 005 Post Software"

- name: PostSoftware flight-check
  hosts: localhost
  connection: local
  gather_facts: false
  become: false
  tags:
    - post_flight_check
  tasks:
    - debug:
        msg: "Post-Software checks completed successfully"

 ansible/configs/selinux-policy/pre_infra.yml

New file
@@ -0,0 +1,8 @@

- name: Step 000 Pre Infrastructure
  hosts: localhost
  gather_facts: false
  become: false
  tasks:
    - debug:
        msg: "Step 000 Pre Infrastructure"

 ansible/configs/selinux-policy/pre_software.yml

New file
@@ -0,0 +1,51 @@

- name: Step 003 Pre Software
  hosts: localhost
  gather_facts: false
  become: false
  tasks:
    - debug:
        msg: "Step 003 Pre Software"

    - import_role:
        name: infra-local-create-ssh_key
      when: set_env_authorized_key | bool


- name: Configure all hosts with Repositories, Common Files and Set environment key
  hosts:
    - all:!windows
  become: true
  gather_facts: False
  tags:
    - common_tasks
  roles:
    - role: set-repositories
      when: repo_method is defined

    - role: common
      when: install_common | bool

    - role: set_env_authorized_key
      when: set_env_authorized_key | bool

- name: Configuring Bastion Hosts
  hosts: bastions
  become: true
  gather_facts: False
  roles:
    -  role: bastion
       when: install_bastion | bool
  tags:
    - bastion_tasks

- name: PreSoftware flight-check
  hosts: localhost
  connection: local
  gather_facts: false
  become: false
  tags:
    - presoftware_flight_check
  tasks:
    - debug:
        msg: "Pre-Software checks completed successfully"

 ansible/configs/selinux-policy/sample_vars.yml

New file
@@ -0,0 +1,39 @@
---
# Sample configuration file. 
# Make a copy (e.g. my_sample_vars.yml) and change the settings to match your environment.
#
# Usage: 
# 
#   ansible-playbook main.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml
#
# To destroy your deployment:
#
#   ansible-playbook destroy.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml
#

env_type: simple-example      # Name of config to deploy
output_dir: /tmp/workdir      # Writable working scratch directory
node_instance_count: 2        # Number of nodes to deploy
email: name@example.com       # User info for notifications

guid: guid02                  # Unique string used in FQDN
subdomain_base_suffix: .example.opentlc.com      # Your domain used in FQDN

# Path to yum repos
own_repo_path: http://admin.example.com/repos/version

# Cloud specfic settings - example given here for AWS

cloud_provider: ec2                     # Which AgnosticD Cloud Provider to use 
aws_region: us-east-1                   # AWS Region to deploy in
HostedZoneId: Z3IHLWJZOU9SRT            # You will need to change this

key_name: ocpkey                        # Keyname must exist in AWS

# DANGER ZONE
#
# AWS Credentials. These are required (don't sync them to your fork!!)
# aws_access_key_id: 
# aws_secret_access_key:
# Create a file e.g. agnosticd/ansible/my_secret_vars.yml and put all your keys etc into it.
#

 ansible/configs/selinux-policy/software.yml

New file
@@ -0,0 +1,123 @@
---
- name: Step 004 Environment specific Software
  hosts: localhost
  gather_facts: False
  become: false
  tasks:
    - debug:
        msg: "Software tasks Started"


- name: Deploy Roles if infra_workloads defined
  hosts:
    - nodes
  gather_facts: false
  run_once: false
  become: yes
  tags:
    - infra_workloads
  tasks:
  - name: apply infra workloads roles on nodes
    when:
    - infra_workloads|d("")|length > 0
    block:
      - name: Apply role "{{ workload_loop_var }}" on nodes
        include_role:
          name: "{{ workload_loop_var }}"
        vars:
          ACTION: "provision"
        loop: "{{ infra_workloads.split(',')|list }}"
        loop_control:
          loop_var: workload_loop_var

- name: Configure bastion for SELinux workshop
  hosts: all
  gather_facts: false
  become: true
  vars:
    avc: |
      '----
      time->Mon Nov 17 01:45:36 2008
      type=AVC msg=audit(1226882736.442:86): avc:  denied  { getattr } for  pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
      type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)'

  tasks:
  - name: Install all needed packages
    package:
      state: present
      name:
        - selinux-policy-devel
        - ansible
        - policycoreutils
        - policycoreutils-python-utils
        - audit
        - git
        - setools-console
        - selinux-policy-doc
        - policycoreutils-newrole
        - setroubleshoot-server
        - make
        - gcc-c++
        - rpm-build
        - libcurl-devel
        - cockpit
        - cockpit-dashboard
        - cockpit-shell
        - cockpit-system
        - cockpit-ws
        - subscription-manager-cockpit
        - cockpit-composer
        - cockpit-session-recording
        - cockpit-machines
        - cockpit-packagekit
        - cockpit-podman
        - cockpit-storaged

  - name: Ensure cockpit is started
    systemd:
      name: "cockpit.socket"
      state: "started"
      enabled: true
      daemon_reload: true

  - name: Enable SELinux
    selinux:
      policy: targeted
      state: enforcing

  - name: Create testaudit file
    copy:
      mode: '0644'
      owner: root
      dest: /root/testaudit
      content: "{{ avc  }}"

  - name: Copy testaudit also to user dir
    copy:
      src: /root/testaudit
      dest: /home/ec2-user
      owner: ec2-user
      group: ec2-user
      mode: '0644'
      force: true
      remote_src: yes

  - name: Create .vimrc in user home dir
    copy:
      content: ""
      dest: /home/ec2-user/.vimrc
      owner: ec2-user
      group: ec2-user
      mode: '0644'
      force: no

- name: Software flight-check
  hosts: localhost
  connection: local
  gather_facts: false
  become: false
  tags:
    - post_flight_check
  tasks:
    - debug:
        msg: "Software checks completed successfully"

 ansible/roles/selinux-policy/README.adoc

New file
@@ -0,0 +1,2 @@
= selinux-policy role


 ansible/roles/selinux-policy/defaults/main.yml

New file
@@ -0,0 +1 @@
---

 ansible/roles/selinux-policy/handlers/main.yml

New file
@@ -0,0 +1 @@
---

 ansible/roles/selinux-policy/tasks/main.yml

New file
@@ -0,0 +1,52 @@
---
- name: Install all needed packages
  block:
    package:
      state: present
      name:
        - selinux-policy-devel
        - ansible
        - policycoreutils
        - policycoreutils-python-utils
        - audit
        - git
        - setools-console
        - selinux-policy-doc
        - policycoreutils-newrole
        - setroubleshoot-server
        - make
        - gcc-c++
        - rpm-build
        - libcurl-devel
        - cockpit
        - cockpit-dashboard
        - cockpit-shell
        - cockpit-system
        - cockpit-ws
        - subscription-manager-cockpit
        - cockpit-composer
        - cockpit-session-recording
        - cockpit-machines
        - cockpit-packagekit
        - cockpit-podman
        - cockpit-storaged
    check_mode: yes

- name: Ensure cockpit is started
  systemd:
    name: "cockpit.socket"
    state: "started"
    enabled: true
    daemon_reload: true
  check_mode: yes

- name: Check if SELinux is in Enforcing state
  selinux:
    policy: targeted
    state: enforcing
  check_mode: yes

- name: Check if testaudit file exists
  stat:
      path: /root/testaudit