From 312b327ccde3fc37b4cbf6fe6bc28d7e38cc959e Mon Sep 17 00:00:00 2001 From: Sergei Petrosian <30409084+spetrosi@users.noreply.github.com> Date: Fri, 8 Sep 2023 15:13:03 +0200 Subject: [PATCH] docs(changelog): version 1.6.2 [citest skip] (#187) Update changelog and .README.html for version 1.6.2 Signed-off-by: Sergei Petrosian --- .README.html | 377 +++++++++++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.md | 38 ++++++ 2 files changed, 415 insertions(+) create mode 100644 .README.html diff --git a/.README.html b/.README.html new file mode 100644 index 0000000..ef4426d --- /dev/null +++ b/.README.html @@ -0,0 +1,377 @@ + + + + + + + + SELinux + + + + + + +
+
+

SELinux

+
+
+ +
+

Expected functionality

+

Essentially provide mechanisms to manage local customizations:

+ +

Requirements

+

Collection requirements

+

The role requires some SELinux modules. If you are using +ansible-core, you must get these from the +ansible.posix and community.general +collections. Use the file meta/collection-requirements.yml +to install these:

+
ansible-galaxy collection install -vv -r meta/collection-requirements.yml
+

If you are using Ansible Engine 2.9, or are using an Ansible bundle +which includes these collections/modules, you should have to do +nothing.

+

Modules provided by this +repository

+

selinux_modules_facts

+

Gather state of SELinux modules

+

Role Variables

+

purge local modifications

+

By default, the modifications specified in +selinux_booleans, selinux_fcontexts, +selinux_ports and selinux_logins are applied +on top of pre-existing modifications. To purge local modifications prior +to setting new ones, set following variables to true:

+ +

You can purge all modifications by using +selinux_all_purge: true:

+
selinux_all_purge: true
+

selinux_policy, selinux_state

+

Manage the SELinux policy type and mode.

+
selinux_policy: targeted
+selinux_state: enforcing
+

Allowed values for selinux_state are +disabled, enforcing and +permissive.

+

If selinux_state is not set, the SELinux state is not +changed. If selinux_policy is not set and SELinux is to be +enabled, it defaults to targeted. If SELinux is already +enabled, the policy is not changed.

+

This uses the selinux +module to manage the SELinux mode and policy.

+

selinux_booleans

+

Manage the state of SELinux booleans. This is a list of +dict, where each dict is in the same format as +used by the seboolean +module.

+
selinux_booleans:
+  - {name: 'samba_enable_home_dirs', state: true}
+  - {name: 'ssh_sysadm_login', state: true, persistent: true}
+

selinux_fcontexts

+

Manage the state of SELinux file context mapping definitions. This is +a list of dict, where each dict +is in the same format as used by the sefcontext +module.

+
selinux_fcontexts:
+  - {target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd', state: 'present'}
+

Users may also pass the following optional parameters:

+ +

Individual modifications can be dropped by setting state +to absent.

+

selinux_ports

+

Manage the state of SELinux port policy. This is a list +of dict, where each dict is in the same format +as used by the seport +module.

+
selinux_ports:
+  - {ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present', local: true}
+

selinux_restore_dirs

+

This is a list of strings, where each string is a +filesystem tree where you want to run restorecon:

+
selinux_restore_dirs:
+  - /tmp/test_dir
+

selinux_logins

+

Manage the linux user to SELinux user mapping. This is a +list of dict, where each dict is +in the same format as used by the selogin +module.

+
selinux_logins:
+  - {login: 'plautrba', seuser: 'staff_u', state: 'absent'}
+  - {login: '__default__', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present'}
+

selinux_modules

+

It is possible to manage SELinux modules using +selinux_modules variable which would contain a +list of dict, e.g.:

+
selinux_modules:
+  - {path: 'localmodule.pp', state: 'enabled'}
+  - {path: 'localmodule.cil', priority: '350', state: 'enabled'}
+  - {name: 'unconfineduser', state: 'disabled'}
+  - {name: 'localmodule', priority: '350', state: 'absent'}
+ +

Note: Building modules from source on nodes is not +supported. However, in many cases a binary pp or cil +module could be used on different systems if all systems support types, +classes and permissions used in the module. In case of pp +module it also needs to be built with the lowest supported policydb +module version on target systems, i.e. on the oldest system.

+

Note: Module priorities are ignored in Red Hat +Enterprise Linux 6

+

Note: Managing modules is idempotent only on Fedora, +and EL 8.6 and later. You can manage modules on older releases, but it +will not be idempotent.

+

Ansible Facts

+

selinux_reboot_required

+

This custom fact is set to true if system reboot is +necessary when SELinux is set from disabled to +enabled or vice versa. Otherwise the fact is set to +false. In the case that system reboot is needed, it will be +indicated by returning failure from the role which needs to be handled +using a block:...rescue: construct. The reboot +needs to be performed in the playbook, the role itself never reboots the +managed host. After the reboot the role needs to be reapplied to finish +the changes.

+

selinux_installed_modules

+

This custom fact represents SELinux module store structure

+
"selinux_installed_modules": {
+  <module name>: {
+    <module priority>: ("enabled"|"disabled"),
+    ...
+  },
+  ...
+}
+

e.g.

+
"ansible_facts": {
+  "selinux_installed_modules": {
+    "abrt": {
+      "100": "enabled",
+      "400": "disabled"
+    },
+    "accountsd": {
+      "100": "enabled"
+    },
+    "acct": {
+      "100": "enabled"
+    }
+  }
+}
+

NOTE: Module priority is set to "0" when priorities +are not supported, e.g. on Red Hat Enterprise Linux 6

+

Examples

+

The general usage is demonstrated in selinux-playbook.yml +playbook.

+
+ + diff --git a/CHANGELOG.md b/CHANGELOG.md index f735d2c..6988271 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,44 @@ Changelog ========= +[1.6.2] - 2023-09-07 +-------------------- + +### Other Changes + +- ci: Add markdownlint, test_converting_readme, and build_docs workflows (#182) + + - markdownlint runs against README.md to avoid any issues with + converting it to HTML + - test_converting_readme converts README.md > HTML and uploads this test + artifact to ensure that conversion works fine + - build_docs converts README.md > HTML and pushes the result to the + docs branch to publish dosc to GitHub pages site. + - Fix markdown issues in README.md + + Signed-off-by: Sergei Petrosian + +- docs: Fix highlighting for code blocks to look nice (#183) + + For given code blocks yaml looks nicer, json marks some parts as errors. + +- docs: Make badges consistent, run markdownlint on all .md files (#185) + + - Consistently generate badges for GH workflows in README RHELPLAN-146921 + - Run markdownlint on all .md files + - Add custom-woke-action if not used already + - Rename woke action to Woke for a pretty badge + + Signed-off-by: Sergei Petrosian + +- ci: Remove badges from README.md prior to converting to HTML (#186) + + - Remove thematic break after badges + - Remove badges from README.md prior to converting to HTML + + Signed-off-by: Sergei Petrosian + + [1.6.1] - 2023-07-19 --------------------