From 5b66061e9224fef019f472ad1846068a25f2f146 Mon Sep 17 00:00:00 2001
From: J. Alexander Jacocks <alexander@redhat.com>
Date: Fri, 13 Mar 2020 19:53:49 +0100
Subject: [PATCH] Add SELinux policy writing workshop (#1329)
---
ansible/roles/selinux-policy/README.adoc | 2
ansible/configs/selinux-policy/env_vars.yml | 153 +++++++++
ansible/configs/selinux-policy/files/repos_template.j2 | 32 +
ansible/configs/selinux-policy/post_infra.yml | 8
ansible/configs/selinux-policy/sample_vars.yml | 39 ++
ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2 | 428 +++++++++++++++++++++++++
ansible/configs/selinux-policy/pre_infra.yml | 8
ansible/roles/selinux-policy/defaults/main.yml | 1
ansible/configs/selinux-policy/software.yml | 123 +++++++
ansible/configs/selinux-policy/pre_software.yml | 51 +++
ansible/configs/selinux-policy/README.md | 42 ++
ansible/configs/selinux-policy/files/hosts_template.j2 | 15
ansible/roles/selinux-policy/handlers/main.yml | 1
ansible/configs/selinux-policy/destroy_env.yml | 39 ++
ansible/configs/selinux-policy/post_software.yml | 19 +
ansible/roles/selinux-policy/tasks/main.yml | 52 +++
16 files changed, 1,013 insertions(+), 0 deletions(-)
diff --git a/ansible/configs/selinux-policy/README.md b/ansible/configs/selinux-policy/README.md
new file mode 100644
index 0000000..801da75
--- /dev/null
+++ b/ansible/configs/selinux-policy/README.md
@@ -0,0 +1,42 @@
+# Simple example
+
+A simple deplyoment creating a bastion host and two worker nodes. It can't get simpler ...
+
+### Environment variables
+
+Deployment is controlled by two configuration files:
+
+* env_vars.yml
+* sample_vars.yml
+
+`env_vars.yml` defines all configuration parameters that COULD be modified, whereas `sample_vars.yml` is a *template* for all environment specific values that HAVE to be changed.
+
+Start by creating a copy of `sample_vars.yml` and rename it (e.g. `my_sample_vars.yml`). Then modifiy all parameters to match your environment.
+
+#### Secrets
+
+Some deployments need **secrets** e.g. your AWS credentials or API tokens.
+
+DO NOT add these to git !
+
+Instead create a file called e.g. `./ansible/my_secret_vars.yml` and store all secrets etc. there. This file can also be reused for other deplyoments.
+
+NOTE:
+
+Both `my_sample_vars.yml` `my_secret.vars.yml` are in the `.gitignore` configuration which SHOULD protect you from adding them to git!
+
+### Run the Ansible playbooks
+
+Run follwoing commands from the `./ansible` folder:
+
+#### Install
+
+```shell
+ansible-playbook main.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml
+```
+
+#### Uninstall
+
+```shell
+ansible-playbook destroy.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml
+```
diff --git a/ansible/configs/selinux-policy/destroy_env.yml b/ansible/configs/selinux-policy/destroy_env.yml
new file mode 100644
index 0000000..3f5c9d2
--- /dev/null
+++ b/ansible/configs/selinux-policy/destroy_env.yml
@@ -0,0 +1,39 @@
+---
+- name: Build inventory
+ hosts: localhost
+ connection: local
+ gather_facts: False
+ become: no
+ tasks:
+ - when: cloud_provider == 'ec2'
+ block:
+ - name: Run infra-ec2-create-inventory Role
+ include_role:
+ name: infra-ec2-create-inventory
+
+ - name: Run Common SSH Config Generator Role
+ include_role:
+ name: infra-common-ssh-config-generate
+ when: "'bastions' in groups"
+
+- name: Set ssh config
+ hosts: all
+ gather_facts: false
+ become: no
+ tasks:
+ - name: Set facts for remote access
+ set_fact:
+ ansible_ssh_extra_args: >-
+ {{ ansible_ssh_extra_args|d() }}
+ -F {{hostvars.localhost.output_dir}}/{{ env_type }}_{{ guid }}_ssh_conf
+
+- name: Unsubscribe systems
+ hosts: all
+ become: true
+ gather_facts: false
+ ignore_errors: true
+ tasks:
+ - shell: "subscription-manager unsubscribe --all"
+
+- name: Import default destroy playbook
+ import_playbook: ../../cloud_providers/{{cloud_provider}}_destroy_env.yml
diff --git a/ansible/configs/selinux-policy/env_vars.yml b/ansible/configs/selinux-policy/env_vars.yml
new file mode 100644
index 0000000..585bd33
--- /dev/null
+++ b/ansible/configs/selinux-policy/env_vars.yml
@@ -0,0 +1,153 @@
+
+bastion_instance_type:
+ ec2: "t2.medium"
+ azure: Standard_A2_V2
+
+bastion_instance_image: RHEL75
+
+node_instance_type:
+ ec2: "t2.medium"
+ azure: Standard_A2_V2
+
+node_instance_image: RHEL75
+
+# How many do you want for each instance type
+node_instance_count: 0
+
+# Environment Instances
+instances:
+ - name: "bastion"
+ count: 1
+ unique: true
+ public_dns: true
+ dns_loadbalancer: false
+ image: "{{ bastion_instance_image }}"
+ flavor:
+ ec2: "t2.medium"
+ azure: Standard_A2_V2
+ tags:
+ - key: "AnsibleGroup"
+ value: "bastions"
+ - key: "ostype"
+ value: "linux"
+ - key: "instance_filter"
+ value: "{{ env_type }}-{{ email }}"
+ volumes:
+ - name: '/dev/sda1'
+ size: 20
+ security_groups:
+ - "BastionSG"
+
+ - name: "node"
+ count: "{{node_instance_count}}"
+ public_dns: true
+ dns_loadbalancer: false
+ image: "{{ node_instance_image }}"
+ flavor:
+ ec2: "t2.medium"
+ azure: Standard_A2_V2
+ tags:
+ - key: "AnsibleGroup"
+ value: "nodes"
+ - key: "ostype"
+ value: "linux"
+ - key: "instance_filter"
+ value: "{{ env_type }}-{{ email }}"
+
+
+# DNS settings for environmnet
+subdomain_base_short: "{{ guid }}"
+subdomain_base_suffix: ".example.opentlc.com"
+subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}"
+
+zone_internal_dns: "{{guid}}.internal."
+chomped_zone_internal_dns: "{{guid}}.internal"
+
+# Stuff that only GPTE cares about:
+install_ipa_client: false
+
+
+repo_method: file
+repo_version: "3.10"
+# Do you want to run a full yum update
+update_packages: false
+common_packages:
+ - python
+ - unzip
+ - bash-completion
+ - tmux
+ - wget
+ - git
+ - vim-enhanced
+ - at
+
+rhel_repos:
+ - rhel-7-server-rpms
+ - rhel-7-server-extras-rpms
+ - epel-release-latest-7
+
+###V2WORK, these should just be set as default listed in the documentation
+install_bastion: true
+install_common: true
+## SB Don't set software_to_deploy from here, always use extra vars (-e) or "none" will be used
+#software_to_deploy: none
+
+
+## guid is the deployment unique identifier, it will be appended to all tags,
+## files and anything that identifies this environment from another.
+# Using GUID is required, if it is not passed in the command line or uncommented
+# here the deployment will fail
+#guid: defaultguid
+
+
+
+###V2WORK, these should just be set as default listed in the documentation
+# This is where the ssh_config file will be created, this file is used to
+# define the communication method to all the hosts in the deployment
+deploy_local_ssh_config_location: "{{output_dir}}/"
+
+
+### If you want a Key Pair name created and injected into the hosts,
+# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
+# you can use the key used to create the environment or use your own self generated key
+# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}})
+
+###V2WORK, these should just be set as default listed in the documentation
+use_own_key: true
+env_authorized_key: "{{guid}}key"
+set_env_authorized_key: true
+
+################################################################################
+################################################################################
+### AWS EC2 Specific Variables
+################################################################################
+################################################################################
+
+### Route 53 Zone ID (AWS)
+# This is the Route53 HostedZoneId where you will create your Public DNS entries
+# This only needs to be defined if your CF template uses route53
+HostedZoneId: Z3IHLWJZOU9SRT
+# The region to be used, if not specified by -e in the command line
+aws_region: ap-southeast-2
+# The key that is used to connect to the AWS instance initially, it should
+# exist in your aws account and the private key should exist on the local machine
+# you are provisioning from.
+#key_name: "default_key_name"
+
+###V2WORK THIS SHOULD MOVE INTO THE ROLE
+# This var is used to identify stack (cloudformation, azure resourcegroup, ...)
+project_tag: "{{ env_type }}-{{ guid }}"
+
+################################################################################
+################################################################################
+### Azure Specific Variables
+################################################################################
+################################################################################
+# Create a dedicated resourceGroup for this deployment
+az_destroy_method: resource_group
+az_resource_group: "{{ project_tag }}"
+
+# you can operate differently: if you share on resourceGroup for all you deployments,
+# you can specify a different resourceGroup and method:
+#az_destroy_method: deployment
+#az_resource_group: my-shared-resource-group
diff --git a/ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2 b/ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2
new file mode 100644
index 0000000..7f92c64
--- /dev/null
+++ b/ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2
@@ -0,0 +1,428 @@
+{
+ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters" : {
+ "guid": {
+ "type" : "string",
+ "minLength" : 3,
+ "metadata" : {
+ "description" : "GUID of the environment"
+ }
+ },
+ "DNSZone": {
+ "type" : "string",
+ "minLength" : 3,
+ "metadata" : {
+ "description" : "dns zone of the environment, to update or create"
+ }
+ },
+ "adminUsername" : {
+ "type" : "string",
+ "minLength" : 1,
+ "defaultValue" : "azure",
+ "metadata" : {
+ "description" : "User name for the Virtual Machine."
+ }
+ },
+ "sshKeyData" : {
+ "type" : "securestring",
+ "metadata" : {
+ "description" : "SSH RSA public key file as a string."
+ }
+ },
+ "vmSize" : {
+ "type" : "string",
+ "defaultValue" : "Basic_A2",
+ "allowedValues" : [
+ "Basic_A2",
+ "Standard_A2",
+ "Standard_A3",
+ "Standard_A4",
+ "Standard_A5",
+ "Standard_A6",
+ "Standard_A7",
+ "Standard_A8",
+ "Standard_A9",
+ "Standard_A10",
+ "Standard_A11",
+ "Standard_D2",
+ "Standard_D3",
+ "Standard_D4",
+ "Standard_D11",
+ "Standard_D12",
+ "Standard_D13",
+ "Standard_D14",
+ "Standard_D2_v2",
+ "Standard_D3_v2",
+ "Standard_D4_v2",
+ "Standard_D5_v2",
+ "Standard_D11_v2",
+ "Standard_D12_v2",
+ "Standard_D13_v2",
+ "Standard_D14_v2",
+ "Standard_G1",
+ "Standard_G2",
+ "Standard_G3",
+ "Standard_G4",
+ "Standard_G5",
+ "Standard_DS2",
+ "Standard_DS3",
+ "Standard_DS4",
+ "Standard_DS11",
+ "Standard_DS12",
+ "Standard_DS13",
+ "Standard_DS14",
+ "Standard_DS2_v2",
+ "Standard_DS3_v2",
+ "Standard_DS4_v2",
+ "Standard_DS5_v2",
+ "Standard_DS11_v2",
+ "Standard_DS12_v2",
+ "Standard_DS13_v2",
+ "Standard_DS14_v2",
+ "Standard_GS1",
+ "Standard_GS2",
+ "Standard_GS3",
+ "Standard_GS4",
+ "Standard_GS5"
+ ],
+ "metadata" : {
+ "description" : "The size of the each Node Virtual Machine."
+ }
+ }
+ },
+ "variables" : {
+ "subzone": "[concat('{{guid}}.',parameters('DNSZone'))]",
+ "location" : "[resourceGroup().location]",
+ "virtualNetworkName" : "[concat('VNet', parameters('guid'))]",
+ "addressPrefix" : "10.0.0.0/16",
+ "vnetId" : "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
+ "rhel" : {
+ "publisher" : "Redhat",
+ "offer" : "RHEL",
+ "sku" : "7-RAW",
+ "version" : "latest"
+ },
+ "tenantId" : "[subscription().tenantId]",
+ "apiVersion" : "2015-06-15",
+ "apiVersionCompute" : "2015-06-15",
+ "apiVersionNetwork" : "2016-03-30",
+ "tmApiVersion" : "2015-11-01",
+ "apiVersionStorage" : "2015-06-15",
+ "apiVersionLinkTemplate" : "2015-01-01",
+ "nicName" : "OneVmNic",
+ "publicIPAddressType" : "Dynamic",
+ "subnetRef" : "[concat(variables('vnetID'),'/subnets/',variables('virtualNetworkName'))]",
+ "sshKeyPath" : "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]",
+ "sQuote" : "\"",
+ "vmStorageAccountContainerName": "vhds",
+ "storageAccountType": "Standard_LRS",
+ "vhdStorageType" : "Premium_LRS",
+ "storageAccountName": "[concat('vsts8',uniquestring(parameters('guid')))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "name": "[variables('StorageAccountName')]",
+ "apiVersion": "2016-01-01",
+ "location": "[resourceGroup().location]",
+ "sku": {
+ "name": "[variables('storageAccountType')]"
+ },
+ "kind": "Storage",
+ "properties": {
+ }
+ },
+{% for instance in instances %}
+
+{% if instance['dns_loadbalancer']|d(false)|bool and not instance['unique']|d(false)|bool %}
+ {
+ "type": "Microsoft.Network/dnszones/a",
+ "name": "[concat(variables('subzone'), '/', '{{instance['name']}}')]",
+ "apiVersion": "2016-04-01",
+ "dependsOn": [
+{% for c in range(1,(instance['count'] |int)+1) %}
+ {% if instance['unique']|d(false)|bool %}
+ {% set instancename = instance['name'] %}
+ {% else %}
+ {% set instancename = instance['name'] + (loop.index|string) %}
+ {% endif %}
+ "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]",
+{% endfor %}
+ "[resourceId('Microsoft.Network/dnsZones/', variables('subzone'))]",
+ ],
+ "properties": {
+ "TTL": 3600,
+ "ARecords": [
+ {
+{% for c in range(1,(instance['count'] |int)+1) %}
+ {% if instance['unique']|d(false)|bool %}
+ {% set instancename = instance['name'] %}
+ {% else %}
+ {% set instancename = instance['name'] + (loop.index|string) %}
+ {% endif %}
+ "ipv4Address": "[reference('{{instancename}}-PublicIP').ipAddress]"
+{% endfor %}
+ }
+ ]
+ }
+ },
+{% endif %}
+
+
+{% for c in range(1,(instance['count'] |int)+1) %}
+
+ {% if instance['unique']|d(false)|bool %}
+ {% set instancename = instance['name'] %}
+ {% else %}
+ {% set instancename = instance['name'] + (loop.index|string) %}
+ {% endif %}
+
+{% if instance['public_dns']|d(false)|bool %}
+ {
+ "type": "Microsoft.Network/dnszones/a",
+ "name": "[concat(variables('subzone'), '/', '{{instancename}}')]",
+ "apiVersion": "2016-04-01",
+ "dependsOn": [
+ "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]",
+ "[resourceId('Microsoft.Network/dnsZones/', variables('subzone'))]",
+ ],
+ "properties": {
+ "TTL": 3600,
+ "ARecords": [
+ {
+ "ipv4Address": "[reference('{{instancename}}-PublicIP').ipAddress]"
+ }
+ ]
+ }
+ },
+ {
+ "apiVersion" : "2017-04-01",
+ "type" : "Microsoft.Network/publicIPAddresses",
+ "name" : "{{instancename}}-PublicIP",
+ "location" : "[resourceGroup().location]",
+ "properties" : {
+ "publicIPAllocationMethod" : "Static",
+ "dnsSettings" : {
+ "domainNameLabel" : "{{instancename}}-{{guid}}"
+ }
+ }
+ },
+ {
+ "apiVersion" : "2017-04-01",
+ "type" : "Microsoft.Network/networkInterfaces",
+ "name" : "{{instancename}}-Interface",
+ "location" : "[resourceGroup().location]",
+ "dependsOn" : [
+ "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]",
+ "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"
+ ],
+ "properties" : {
+ "ipConfigurations" : [
+ {
+ "name" : "ipconfig1",
+ "properties" : {
+ "privateIPAllocationMethod" : "Dynamic",
+ "publicIPAddress" : {
+ "id" : "[resourceId('Microsoft.Network/publicIPAddresses','{{instancename}}-PublicIP')]"
+ },
+ "subnet" : {
+ "id" : "[variables('subnetRef')]"
+ }
+ }
+ }
+ ]
+ }
+ },
+{% endif %}
+ {
+ "apiVersion" : "2017-03-30",
+ "type" : "Microsoft.Compute/virtualMachines",
+ "name" : "{{instancename}}",
+ "location" : "[resourceGroup().location]",
+ "dependsOn" : [
+ "[resourceId('Microsoft.Network/networkInterfaces/', '{{instancename}}-Interface')]"
+ ],
+ "tags": {
+ "Name": "{{instancename}}",
+ "internaldns": "{{instancename}}.{{chomped_zone_internal_dns}}",
+ "owner": "{{ email | default('unknownuser') }}",
+ "Project": "{{project_tag}}",
+{% for tag in instance['tags'] %}
+ "{{tag['key']}}": "{{tag['value']}}",
+{% endfor %}
+ "{{project_tag}}": "{{ instance['name'] }}"
+ },
+ "properties" : {
+ "hardwareProfile" : {
+ "vmSize" : "{{instance['flavor'][cloud_provider]}}"
+ },
+ "osProfile" : {
+ "computerName" : "{{instancename}}",
+ "adminUsername" : "[parameters('adminUsername')]",
+ "linuxConfiguration" : {
+ "disablePasswordAuthentication" : "true",
+ "ssh" : {
+ "publicKeys" : [
+ {
+ "path" : "[variables('sshKeyPath')]",
+ "keyData" : "[parameters('sshKeyData')]"
+ }
+ ]
+ }
+ }
+ },
+ "storageProfile" : {
+ "imageReference" : "[variables('rhel')]",
+ "osDisk" : {
+ "caching" : "ReadWrite",
+ "name" : "{{instancename}}-osdisk",
+ "createOption" : "FromImage",
+ "diskSizeGB" : "{{instance['rootfs_size']|d('50')}}"
+ },
+ "dataDisks" : [
+{% for vol in instance['volumes']|default([]) %}
+ {
+ "caching" : "None",
+ "createOption" : "Empty",
+ "lun" : "{{loop.index}}",
+ "name": "{{instancename}}-{{vol['device_name']}}",
+ "diskSizeGB" : "{{vol['volume_size']}}"
+ },
+{% endfor %}
+ ]
+ },
+ "networkProfile" : {
+ "networkInterfaces" : [
+ {
+ "id" : "[resourceId('Microsoft.Network/networkInterfaces','{{instancename}}-Interface')]"
+ }
+ ]
+ },
+ "diagnosticsProfile" : {
+ "bootDiagnostics" : {
+ "enabled" : "false",
+ "storageUri" : "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
+ }
+ }
+ }
+ },
+{% endfor %}
+{% endfor %}
+ {
+ "name": "[variables('subzone')]",
+ "type": "Microsoft.Network/dnsZones",
+ "apiVersion": "2017-09-01",
+ "location" : "global",
+ },
+ {
+ "apiVersion": "2017-05-10",
+ "name": "nestedTemplate",
+ "type": "Microsoft.Resources/deployments",
+ "resourceGroup": "dns",
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ ]
+ },
+ "parameters": {}
+ }
+ },
+ {
+ "apiVersion" : "[variables('apiVersion')]",
+ "type" : "Microsoft.Network/virtualNetworks",
+ "name" : "[variables('virtualNetworkName')]",
+ "location" : "[variables('location')]",
+ "tags" : {
+ "displayName" : "VirtualNetwork"
+ },
+ "properties" : {
+ "addressSpace" : {
+ "addressPrefixes" : [
+ "[variables('addressPrefix')]"
+ ]
+ },
+ "subnets" : [
+ {
+ "name" : "[variables('virtualNetworkName')]",
+ "properties" : {
+ "addressPrefix" : "[variables('addressPrefix')]"
+ }
+ }
+ ]
+ }
+ },
+ {
+ "type" : "Microsoft.Network/networkSecurityGroups",
+ "name" : "[concat(resourceGroup().name, 'nsg')]",
+ "tags" : {
+ "displayName" : "NetworkSecurityGroup"
+ },
+ "apiVersion" : "[variables('apiVersion')]",
+ "location" : "[resourceGroup().location]",
+ "properties" : {
+ "securityRules" : [
+ {
+ "name" : "default-allow-openshift-router-https",
+ "properties" : {
+ "protocol" : "Tcp",
+ "sourcePortRange" : "*",
+ "destinationPortRange" : "443",
+ "sourceAddressPrefix" : "*",
+ "destinationAddressPrefix" : "*",
+ "access" : "Allow",
+ "priority" : 2000,
+ "direction" : "Inbound"
+ }
+ },
+ {
+ "name" : "default-allow-openshift-router-http\n",
+ "properties" : {
+ "protocol" : "Tcp",
+ "sourcePortRange" : "*",
+ "destinationPortRange" : "80",
+ "sourceAddressPrefix" : "*",
+ "destinationAddressPrefix" : "*",
+ "access" : "Allow",
+ "priority" : 2001,
+ "direction" : "Inbound"
+ }
+ },
+ {
+ "name" : "default-allow-openshift-master",
+ "properties" : {
+ "protocol" : "Tcp",
+ "sourcePortRange" : "*",
+ "destinationPortRange" : "8443",
+ "sourceAddressPrefix" : "*",
+ "destinationAddressPrefix" : "*",
+ "access" : "Allow",
+ "priority" : 2002,
+ "direction" : "Inbound"
+ }
+ },
+ {
+ "name" : "default-allow-ssh",
+ "properties" : {
+ "protocol" : "Tcp",
+ "sourcePortRange" : "*",
+ "destinationPortRange" : "22",
+ "sourceAddressPrefix" : "*",
+ "destinationAddressPrefix" : "*",
+ "access" : "Allow",
+ "priority" : 2003,
+ "direction" : "Inbound"
+ }
+ }
+ ]
+ }
+ }
+ ],
+ "outputs" : {
+ }
+}
diff --git a/ansible/configs/selinux-policy/files/hosts_template.j2 b/ansible/configs/selinux-policy/files/hosts_template.j2
new file mode 100644
index 0000000..f4bfdf1
--- /dev/null
+++ b/ansible/configs/selinux-policy/files/hosts_template.j2
@@ -0,0 +1,15 @@
+[all:vars]
+###########################################################################
+### Ansible Vars
+###########################################################################
+timeout=60
+ansible_become=yes
+ansible_user={{remote_user}}
+ansible_ssh_private_key_file="~/.ssh/{{guid}}key.pem"
+ansible_ssh_common_args="-o StrictHostKeyChecking=no"
+
+[nodes]
+## These are the frontends
+{% for host in groups['nodes']|d([]) %}
+node{{loop.index}}.{{chomped_zone_internal_dns}} ansible_ssh_host=frontend{{loop.index}}.{{subdomain_base}}
+{% endfor %}
diff --git a/ansible/configs/selinux-policy/files/repos_template.j2 b/ansible/configs/selinux-policy/files/repos_template.j2
new file mode 100644
index 0000000..ca88e64
--- /dev/null
+++ b/ansible/configs/selinux-policy/files/repos_template.j2
@@ -0,0 +1,32 @@
+[rhel-7-server-rpms]
+name=Red Hat Enterprise Linux 7
+baseurl={{own_repo_path}}/rhel-7-server-rpms
+enabled=1
+gpgcheck=0
+
+[rhel-7-server-rh-common-rpms]
+name=Red Hat Enterprise Linux 7 Common
+baseurl={{own_repo_path}}/rhel-7-server-rh-common-rpms
+enabled=1
+gpgcheck=0
+
+[rhel-7-server-extras-rpms]
+name=Red Hat Enterprise Linux 7 Extras
+baseurl={{own_repo_path}}/rhel-7-server-extras-rpms
+enabled=1
+gpgcheck=0
+
+[rhel-7-server-optional-rpms]
+name=Red Hat Enterprise Linux 7 Optional
+baseurl={{own_repo_path}}/rhel-7-server-optional-rpms
+enabled=1
+gpgcheck=0
+
+[epel]
+name=Extra Packages for Enterprise Linux 7 - $basearch
+baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
+mirrorlist=http://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
+failovermethod=priority
+enabled=1
+gpgcheck=0
+#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
diff --git a/ansible/configs/selinux-policy/post_infra.yml b/ansible/configs/selinux-policy/post_infra.yml
new file mode 100644
index 0000000..e25481b
--- /dev/null
+++ b/ansible/configs/selinux-policy/post_infra.yml
@@ -0,0 +1,8 @@
+
+- name: Step 002 Post Infrastructure
+ hosts: localhost
+ gather_facts: false
+ become: false
+ tasks:
+ - debug:
+ msg: "Step 002 Post Infrastructure"
diff --git a/ansible/configs/selinux-policy/post_software.yml b/ansible/configs/selinux-policy/post_software.yml
new file mode 100644
index 0000000..d637f70
--- /dev/null
+++ b/ansible/configs/selinux-policy/post_software.yml
@@ -0,0 +1,19 @@
+
+- name: Step 005 Post Software
+ hosts: localhost
+ gather_facts: false
+ become: false
+ tasks:
+ - debug:
+ msg: "Step 005 Post Software"
+
+- name: PostSoftware flight-check
+ hosts: localhost
+ connection: local
+ gather_facts: false
+ become: false
+ tags:
+ - post_flight_check
+ tasks:
+ - debug:
+ msg: "Post-Software checks completed successfully"
diff --git a/ansible/configs/selinux-policy/pre_infra.yml b/ansible/configs/selinux-policy/pre_infra.yml
new file mode 100644
index 0000000..88897e5
--- /dev/null
+++ b/ansible/configs/selinux-policy/pre_infra.yml
@@ -0,0 +1,8 @@
+
+- name: Step 000 Pre Infrastructure
+ hosts: localhost
+ gather_facts: false
+ become: false
+ tasks:
+ - debug:
+ msg: "Step 000 Pre Infrastructure"
diff --git a/ansible/configs/selinux-policy/pre_software.yml b/ansible/configs/selinux-policy/pre_software.yml
new file mode 100644
index 0000000..418e8cb
--- /dev/null
+++ b/ansible/configs/selinux-policy/pre_software.yml
@@ -0,0 +1,51 @@
+
+- name: Step 003 Pre Software
+ hosts: localhost
+ gather_facts: false
+ become: false
+ tasks:
+ - debug:
+ msg: "Step 003 Pre Software"
+
+ - import_role:
+ name: infra-local-create-ssh_key
+ when: set_env_authorized_key | bool
+
+
+- name: Configure all hosts with Repositories, Common Files and Set environment key
+ hosts:
+ - all:!windows
+ become: true
+ gather_facts: False
+ tags:
+ - common_tasks
+ roles:
+ - role: set-repositories
+ when: repo_method is defined
+
+ - role: common
+ when: install_common | bool
+
+ - role: set_env_authorized_key
+ when: set_env_authorized_key | bool
+
+- name: Configuring Bastion Hosts
+ hosts: bastions
+ become: true
+ gather_facts: False
+ roles:
+ - role: bastion
+ when: install_bastion | bool
+ tags:
+ - bastion_tasks
+
+- name: PreSoftware flight-check
+ hosts: localhost
+ connection: local
+ gather_facts: false
+ become: false
+ tags:
+ - presoftware_flight_check
+ tasks:
+ - debug:
+ msg: "Pre-Software checks completed successfully"
diff --git a/ansible/configs/selinux-policy/sample_vars.yml b/ansible/configs/selinux-policy/sample_vars.yml
new file mode 100644
index 0000000..2ce5757
--- /dev/null
+++ b/ansible/configs/selinux-policy/sample_vars.yml
@@ -0,0 +1,39 @@
+---
+# Sample configuration file.
+# Make a copy (e.g. my_sample_vars.yml) and change the settings to match your environment.
+#
+# Usage:
+#
+# ansible-playbook main.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml
+#
+# To destroy your deployment:
+#
+# ansible-playbook destroy.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml
+#
+
+env_type: simple-example # Name of config to deploy
+output_dir: /tmp/workdir # Writable working scratch directory
+node_instance_count: 2 # Number of nodes to deploy
+email: name@example.com # User info for notifications
+
+guid: guid02 # Unique string used in FQDN
+subdomain_base_suffix: .example.opentlc.com # Your domain used in FQDN
+
+# Path to yum repos
+own_repo_path: http://admin.example.com/repos/version
+
+# Cloud specfic settings - example given here for AWS
+
+cloud_provider: ec2 # Which AgnosticD Cloud Provider to use
+aws_region: us-east-1 # AWS Region to deploy in
+HostedZoneId: Z3IHLWJZOU9SRT # You will need to change this
+
+key_name: ocpkey # Keyname must exist in AWS
+
+# DANGER ZONE
+#
+# AWS Credentials. These are required (don't sync them to your fork!!)
+# aws_access_key_id:
+# aws_secret_access_key:
+# Create a file e.g. agnosticd/ansible/my_secret_vars.yml and put all your keys etc into it.
+#
diff --git a/ansible/configs/selinux-policy/software.yml b/ansible/configs/selinux-policy/software.yml
new file mode 100644
index 0000000..523d97f
--- /dev/null
+++ b/ansible/configs/selinux-policy/software.yml
@@ -0,0 +1,123 @@
+---
+- name: Step 004 Environment specific Software
+ hosts: localhost
+ gather_facts: False
+ become: false
+ tasks:
+ - debug:
+ msg: "Software tasks Started"
+
+
+- name: Deploy Roles if infra_workloads defined
+ hosts:
+ - nodes
+ gather_facts: false
+ run_once: false
+ become: yes
+ tags:
+ - infra_workloads
+ tasks:
+ - name: apply infra workloads roles on nodes
+ when:
+ - infra_workloads|d("")|length > 0
+ block:
+ - name: Apply role "{{ workload_loop_var }}" on nodes
+ include_role:
+ name: "{{ workload_loop_var }}"
+ vars:
+ ACTION: "provision"
+ loop: "{{ infra_workloads.split(',')|list }}"
+ loop_control:
+ loop_var: workload_loop_var
+
+- name: Configure bastion for SELinux workshop
+ hosts: all
+ gather_facts: false
+ become: true
+ vars:
+ avc: |
+ '----
+ time->Mon Nov 17 01:45:36 2008
+ type=AVC msg=audit(1226882736.442:86): avc: denied { getattr } for pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
+ type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)'
+
+ tasks:
+ - name: Install all needed packages
+ package:
+ state: present
+ name:
+ - selinux-policy-devel
+ - ansible
+ - policycoreutils
+ - policycoreutils-python-utils
+ - audit
+ - git
+ - setools-console
+ - selinux-policy-doc
+ - policycoreutils-newrole
+ - setroubleshoot-server
+ - make
+ - gcc-c++
+ - rpm-build
+ - libcurl-devel
+ - cockpit
+ - cockpit-dashboard
+ - cockpit-shell
+ - cockpit-system
+ - cockpit-ws
+ - subscription-manager-cockpit
+ - cockpit-composer
+ - cockpit-session-recording
+ - cockpit-machines
+ - cockpit-packagekit
+ - cockpit-podman
+ - cockpit-storaged
+
+ - name: Ensure cockpit is started
+ systemd:
+ name: "cockpit.socket"
+ state: "started"
+ enabled: true
+ daemon_reload: true
+
+ - name: Enable SELinux
+ selinux:
+ policy: targeted
+ state: enforcing
+
+ - name: Create testaudit file
+ copy:
+ mode: '0644'
+ owner: root
+ dest: /root/testaudit
+ content: "{{ avc }}"
+
+ - name: Copy testaudit also to user dir
+ copy:
+ src: /root/testaudit
+ dest: /home/ec2-user
+ owner: ec2-user
+ group: ec2-user
+ mode: '0644'
+ force: true
+ remote_src: yes
+
+ - name: Create .vimrc in user home dir
+ copy:
+ content: ""
+ dest: /home/ec2-user/.vimrc
+ owner: ec2-user
+ group: ec2-user
+ mode: '0644'
+ force: no
+
+- name: Software flight-check
+ hosts: localhost
+ connection: local
+ gather_facts: false
+ become: false
+ tags:
+ - post_flight_check
+ tasks:
+ - debug:
+ msg: "Software checks completed successfully"
diff --git a/ansible/roles/selinux-policy/README.adoc b/ansible/roles/selinux-policy/README.adoc
new file mode 100644
index 0000000..0fc2238
--- /dev/null
+++ b/ansible/roles/selinux-policy/README.adoc
@@ -0,0 +1,2 @@
+= selinux-policy role
+
diff --git a/ansible/roles/selinux-policy/defaults/main.yml b/ansible/roles/selinux-policy/defaults/main.yml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/ansible/roles/selinux-policy/defaults/main.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible/roles/selinux-policy/handlers/main.yml b/ansible/roles/selinux-policy/handlers/main.yml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/ansible/roles/selinux-policy/handlers/main.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible/roles/selinux-policy/tasks/main.yml b/ansible/roles/selinux-policy/tasks/main.yml
new file mode 100644
index 0000000..b702a94
--- /dev/null
+++ b/ansible/roles/selinux-policy/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+- name: Install all needed packages
+ block:
+ package:
+ state: present
+ name:
+ - selinux-policy-devel
+ - ansible
+ - policycoreutils
+ - policycoreutils-python-utils
+ - audit
+ - git
+ - setools-console
+ - selinux-policy-doc
+ - policycoreutils-newrole
+ - setroubleshoot-server
+ - make
+ - gcc-c++
+ - rpm-build
+ - libcurl-devel
+ - cockpit
+ - cockpit-dashboard
+ - cockpit-shell
+ - cockpit-system
+ - cockpit-ws
+ - subscription-manager-cockpit
+ - cockpit-composer
+ - cockpit-session-recording
+ - cockpit-machines
+ - cockpit-packagekit
+ - cockpit-podman
+ - cockpit-storaged
+ check_mode: yes
+
+- name: Ensure cockpit is started
+ systemd:
+ name: "cockpit.socket"
+ state: "started"
+ enabled: true
+ daemon_reload: true
+ check_mode: yes
+
+- name: Check if SELinux is in Enforcing state
+ selinux:
+ policy: targeted
+ state: enforcing
+ check_mode: yes
+
+- name: Check if testaudit file exists
+ stat:
+ path: /root/testaudit
+
--
Gitblit v1.9.3