--- # Copyright 2017, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Ensure SELinux packages are installed package: name: "{{ item }}" state: present with_items: - libselinux - libselinux-devel - checkpolicy - policycoreutils-python - name: Create directory for compiling SELinux role file: path: "/tmp/osa-neutron-selinux" state: directory mode: '0755' - name: Deploy SELinux policy source file copy: src: "osa-neutron.te" dest: "/tmp/osa-neutron-selinux/" owner: root group: root mode: "0755" # NOTE(mhayden): Linting checks are skipped here because there isn't a # reliable way to determine if this SELinux module is newer than the one that # is currently in use on the system. The linter expects there to be a # "creates" argument below. - name: Compile and load SELinux module command: "{{ item }}" args: chdir: "/tmp/osa-neutron-selinux/" with_items: - checkmodule -M -m -o osa-neutron.mod osa-neutron.te - semodule_package -o osa-neutron.pp -m osa-neutron.mod - semodule -i osa-neutron.pp tags: - skip_ansible_lint - name: Remove temporary directory file: path: "/tmp/osa-neutron-selinux/" state: absent - name: Stat neutron's log directory stat: path: "{{ neutron_log_dir }}" register: neutron_log_dir_check - name: Set SELinux file contexts for neutron's log directory sefcontext: target: "{{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir_check.stat.lnk_target, neutron_log_dir) }}(/.*)?" setype: neutron_log_t state: present register: selinux_file_context_log_files - name: Apply updated SELinux contexts on neutron log directory command: "restorecon -Rv {{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir_check.stat.lnk_target, neutron_log_dir) }}" when: - selinux_file_context_log_files | changed