EX294: moudles - Security

0. Intro

There are not details right now [2019.12] about what modules are related to security in EX294. Based on EX300, SElinux is a must.

• The managed nodes depend on libselinux-python to run these modules. The fastest way to meet this is to install "selinuxtroubleshoot-server" package.

• And all the security modules require "root" to do their jobs.

1. selinux

'selinux' is a module maintained by the Ansible Core Team. It ensures the state to be set both temporarily and permanently. Basically, it does two steps:

• run command 'setenforce 0'
• modify /etc/selinux/config to have the line "SELINUX=xxx"

e.g.

- name: Enable SELinux
  selinux:
    policy: targeted
    state: enforcing

More examples can be found by "ansible-doc selinux".

2. seboolean

Basically, 'seboolean' module functions as the command tool "semanage boolean". 

e.g.

- name: Set httpd_can_network_connect flag on and keep it persistent across reboots
  seboolean:
    name: httpd_can_network_connect
    state: yes
    persistent: yes

More examples can be found by "ansible-doc selinux".

3. sefcontext

Basically, 'seboolean' module functions as the command tool "semanage fcontext". 

• 'sefcontext' is currently maintained by the Ansible community
• 'sefcontext' is not guaranteed to be backward compatible. 
• this module does NOT run "restorecon" for you.

e.g.

- name: Allow apache to modify files in /srv/git_repos
  sefcontext:
    target: '/srv/git_repos(/.*)?'
    setype: httpd_git_rw_content_t
    state: present

- name: Apply new SELinux file context to filesystem
  command: restorecon -irv /srv/git_repos

More examples can be found by "ansible-doc selinux".

4. seport

Basically, 'seboolean' module functions as the command tool "semanage port". 

• currently maintained by the Ansible community
• not guaranteed to be backward compatible. 

e.g.

- name: Allow Apache to listen on tcp port 8888
  seport:
    ports: 8888
    proto: tcp
    setype: http_port_t
    state: present