selinux policy exceptions(for rpm hosts) during install

This commit is contained in:
Ibrahim Mkusa 2024-12-03 13:05:56 -05:00
parent 7a62c14784
commit 3b41466b79
3 changed files with 59 additions and 24 deletions

View File

@ -2,13 +2,13 @@
localhost
[dns]
192.168.2.236
[docker]
docker0 ansible_user=ansible
rhel0 ansible_user=ansible
rhel1 ansible_user=ansible
[aws]
[aws]
aws ansible_user=ubuntu
[helm]

View File

@ -6,7 +6,7 @@
vars:
runner_version: "2.321.0"
repository: https://github.com/iskm/maabara
labels: "test"
labels: "test,ultramarines"
user: ansible
roles:
- github_runner

View File

@ -1,6 +1,56 @@
---
# temporary set selinux to permissive
- name: put selinux in permissive mode, log avcs to create policies later
ansible.posix.selinux:
policy: targeted
state: permissive
become: true
when: ansible_os_family == "RedHat"
- name: configuring action runner
block:
- name: configure action runner on machine
ansible.builtin.shell: >
./config.sh --unattended --url {{repository}} --token {{token}} --replace
--name {{ansible_hostname}} --labels {{labels}}
args:
chdir: actions_runner
rescue:
- name: is an action runner already configured
ansible.builtin.debug:
msg: "{{ansible_failed_result}}"
- name: Skipping setup if runner already exists
when: "'already configured' in ansible_failed_result.stderr"
ansible.builtin.debug:
msg: "Action runner already running"
- name: setup and start github action runner as a service
block:
- name: Installing github action as a service
ansible.builtin.shell: >
./svc.sh install {{user}}
args:
chdir: actions_runner
become: true
rescue:
- name: Skipping setup if runner already exists
when: "'exists' in ansible_failed_result.stderr"
ansible.builtin.debug:
msg: "Action runner already running"
- name: start the service
ansible.builtin.shell: >
./svc.sh start
args:
chdir: actions_runner
become: true
- name: add a policy to allow service to run with selinux
ansible.builtin.shell: |
ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh
semodule -X 300 -i my-unsvcsh.pp
ausearch -c '.NET DebugPipe' --raw | audit2allow -M my-NETDebugPipe
semodule -X 300 -i my-NETDebugPipe.pp
ausearch -c 'runsvc.sh' --raw | audit2allow -M my-runsvcsh
@ -10,8 +60,6 @@
ausearch -c 'node' --raw | audit2allow -M my-node
semodule -X 300 -i my-node.pp
setsebool -P domain_can_mmap_files 1
ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh
semodule -X 300 -i my-unsvcsh.pp
setsebool -P nis_enabled 1
ausearch -c '.NET TP Worker' --raw | audit2allow -M my-NETTPWorker
semodule -X 300 -i my-NETTPWorker.pp
@ -21,26 +69,13 @@
become: true
when: ansible_os_family == "RedHat"
- name: configure action runner on machine
ansible.builtin.shell: >
./config.sh --unattended --url {{repository}} --token {{token}} --replace
--name {{ansible_hostname}} --labels {{labels}}
args:
chdir: actions_runner
- name: setup and start github action runner as a service
ansible.builtin.shell: >
./svc.sh install {{user}}
args:
chdir: actions_runner
become: true
- name: start the service
ansible.builtin.shell: >
./svc.sh start
args:
chdir: actions_runner
# set selinux back to enforcing
- name: put selinux back to enforcing mode
ansible.posix.selinux:
policy: targeted
state: enforcing
become: true
when: ansible_os_family == "RedHat"
- name: display status of service
ansible.builtin.shell: >