Enforce SELinux on EL and Enable Apparmor in Ubuntu/Debian/SUSE

Ansible/roles/cloudstack-manager/tasks/centos.yml

@@ -12,12 +12,7 @@
 - name: Clear all yum cache
   command: yum clean all
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
+- include: ../../../tasks/configure_selinux.yml
 
 - name: Ensure CA Certs are latest
   yum: name=ca-certificates state=latest enablerepo=base

Ansible/roles/cloudstack-manager/tasks/centos8.yml

@@ -19,12 +19,7 @@
   file: path=/etc/hostname state=absent
   when: ansible_distribution_major_version == "7"
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
+- include: ../../../tasks/configure_selinux.yml
 
 - name: get name of eth0 connection
   shell: nmcli device show eth0 | grep 'GENERAL.CONNECTION' | awk -F ':' '{print $2}' | sed 's/^ *//'

Ansible/roles/cloudstack-manager/tasks/debian.yml

@@ -123,6 +123,8 @@
 - name: Ensure vhd-util is present
   get_url: url="{{ vhdutil_url }}" dest=/usr/share/cloudstack-common/scripts/vm/hypervisor/xenserver/vhd-util mode=0755
 
+- include: ../../../tasks/configure_apparmor.yml
+
 - include: ./setupdb.yml
 
 - name: Ensure CloudStack packages are installed (now that mgmt server "db.properties" and "key" files are present)

Ansible/roles/cloudstack-manager/tasks/el9.yml

@@ -29,12 +29,7 @@
     state: present
   tags: services
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
+- include: ../../../tasks/configure_selinux.yml
 
 - name: get name of eth0 connection
   shell: nmcli device show eth0 | grep 'GENERAL.CONNECTION' | awk -F ':' '{print $2}' | sed 's/^ *//'

Ansible/roles/cloudstack-manager/tasks/suse.yml

@@ -21,14 +21,7 @@
   shell: "zypper install -y python3-selinux"
   ignore_errors: yes
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-  ignore_errors: yes
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
-  ignore_errors: yes
+- include: ../../../tasks/configure_apparmor.yml
 
 - name: Allow connections on management server required ports with firewall
   shell: "firewall-cmd --zone=public --add-port={{ item }}/tcp --permanent"

Ansible/roles/cloudstack-manager/tasks/ubuntu.yml

@@ -119,6 +119,8 @@
 - name: Ensure vhd-util is present
   get_url: url="{{ vhdutil_url }}" dest=/usr/share/cloudstack-common/scripts/vm/hypervisor/xenserver/vhd-util mode=0755
 
+- include: ../../../tasks/configure_apparmor.yml
+
 - include: ./setupdb.yml
 
 - name: Ensure CloudStack packages are installed (now that mgmt server "db.properties" and "key" files are present)

Ansible/roles/kvm/tasks/centos.yml

@@ -15,14 +15,7 @@
   tags:
     - kvm
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-  tags:
-    - kvm
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
+- include: ../../../tasks/configure_selinux.yml
   tags:
     - kvm
 

Ansible/roles/kvm/tasks/centos8.yml

@@ -16,14 +16,7 @@
   tags:
     - kvm
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-  tags:
-    - kvm
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
+- include: ../../../tasks/configure_selinux.yml
   tags:
     - kvm
 

Ansible/roles/kvm/tasks/debian.yml

@@ -287,19 +287,10 @@
 - name: update /etc/libvirt/qemu.conf
   lineinfile: dest=/etc/libvirt/qemu.conf regexp='#vnc_listen = "0.0.0.0"' line='vnc_listen = "0.0.0.0"'
 
-- name: Symlink to disable
-  file: src=/etc/apparmor.d/usr.sbin.libvirtd dest=/etc/apparmor.d/disable/usr.sbin.libvirtd state=link
+- name: update security_driver to none in /etc/libvirt/qemu.conf
+  lineinfile: dest=/etc/libvirt/qemu.conf regexp='#security_driver' line='security_driver = "none"'
 
-- name: Symlink to disable
-  file: src=/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper dest=/etc/apparmor.d/disable/usr.lib.libvirt.virt-aa-helper state=link
-
-- name: Apparmor parser libvirt
-  shell: apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
-  ignore_errors: yes
-
-- name: Apparmor parser libvirt helper
-  shell: apparmor_parser -R /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
-  ignore_errors: yes
+- include: ../../../tasks/configure_apparmor.yml
 
 - name: Delete DHCP leases file - bionic onwards
   file: path={{ item }} state=absent

Ansible/roles/kvm/tasks/el9.yml

@@ -30,14 +30,7 @@
   tags:
     - kvm
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-  tags:
-    - kvm
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
+- include: ../../../tasks/configure_selinux.yml
   tags:
     - kvm
 

Ansible/roles/kvm/tasks/suse.yml

@@ -30,18 +30,9 @@
   shell: "zypper install -y net-tools-deprecated"
   ignore_errors: yes # This package is deprecated. ignoring errors for older distros
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
+- include: ../../../tasks/configure_apparmor.yml
   tags:
     - kvm
-  ignore_errors: yes
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
-  tags:
-    - kvm
-  ignore_errors: yes
 
 - include: ./kvm_networking_bridge8.yml
   when: (not use_phys_hosts) and (kvm_network_mode == "bridge")

Ansible/roles/kvm/tasks/ubuntu.yml

@@ -361,19 +361,10 @@
 - name: update /etc/libvirt/qemu.conf
   lineinfile: dest=/etc/libvirt/qemu.conf regexp='#vnc_listen = "0.0.0.0"' line='vnc_listen = "0.0.0.0"'
 
-- name: Symlink to disable
-  file: src=/etc/apparmor.d/usr.sbin.libvirtd dest=/etc/apparmor.d/disable/usr.sbin.libvirtd state=link
+- name: update security_driver to none in /etc/libvirt/qemu.conf
+  lineinfile: dest=/etc/libvirt/qemu.conf regexp='#security_driver' line='security_driver = "none"'
 
-- name: Symlink to disable
-  file: src=/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper dest=/etc/apparmor.d/disable/usr.lib.libvirt.virt-aa-helper state=link
-
-- name: Apparmor parser libvirt
-  shell: apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
-  ignore_errors: yes
-
-- name: Apparmor parser libvirt helper
-  shell: apparmor_parser -R /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
-  ignore_errors: yes
+- include: ../../../tasks/configure_apparmor.yml
 
 - name: Delete DHCP leases file - bionic onwards
   file: path={{ item }} state=absent

Ansible/roles/marvin/tasks/main.yml

@@ -28,13 +28,7 @@
 - name: Ensure sshpass is installed
   dnf: name=sshpass state=present
 
-- name: Put SELinux in permissive mode, logging actions that would be blocked.
-  selinux:
-    policy: targeted
-    state: permissive
-
-- name: set live selinux
-  command: setenforce permissive
+- include: ../../../tasks/configure_selinux.yml
 
 - name: sync time with mgmt server
   shell: date --set=`sshpass -p 'P@ssword123' ssh -o StrictHostKeyChecking=no root@{{ hostvars[groups['primary_cs_manager'][0]]['ansible_ssh_host'] }} 'date --iso-8601=seconds'`
@@ -75,6 +69,14 @@
     - marvin
     - marvin_cfg
 
+- name: Install mysql-connector-python 8.0.30 for Debian/SUSE
+  pip:
+    name: mysql-connector-python==8.0.30
+  when: mgmtsrv_template | lower is search("debian|suse")
+  tags:
+    - marvin
+    - marvin_cfg
+
 - name: retrieve environment data
   env_db_manage: DBHOST={{ env_db_ip }} DBUSER={{ env_db_user }} DBPASS={{ env_db_password }} DBNAME={{ env_db_name }} ENV_UUID={{ env_uuid }} ENV_NAME={{ env_name_clean }} ENV_ZONETYPE={{ env_zonetype }} ENV_SECGROUPS={{ env_zone_secgroups }} ENV_ACTION=retrieve
   tags:

Ansible/roles/mysql/tasks/centos.yml

@@ -30,12 +30,10 @@
   yum: name=MySQL-python state=present
   tags: services
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
+- include: ../../../tasks/configure_selinux.yml
+  tags:
+    - mysql
+    - mysqlconf
 
 - name: Ensure mysql server is installed (centos/rhel6)
   yum: name=mysql-server state=present

Ansible/roles/mysql/tasks/centos8.yml

@@ -37,17 +37,7 @@
     - mysql
     - mysqlconf
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-  tags:
-    - mysql
-    - mysqlconf
-
-- name: Ensure selinux is set permanently
-  selinux:
-    policy: targeted
-    state: permissive
+- include: ../../../tasks/configure_selinux.yml
   tags:
     - mysql
     - mysqlconf

Ansible/roles/mysql/tasks/el9.yml

@@ -37,17 +37,7 @@
     - mysql
     - mysqlconf
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
-  tags:
-    - mysql
-    - mysqlconf
-
-- name: Ensure selinux is set permanently
-  selinux:
-    policy: targeted
-    state: permissive
+- include: ../../../tasks/configure_selinux.yml
   tags:
     - mysql
     - mysqlconf

Ansible/roles/mysql/tasks/suse.yml

@@ -46,19 +46,10 @@
     - mysqlconf
   ignore_errors: yes
 
-- name: Set selinux to permissive
-  command: setenforce permissive
-  changed_when: false
+- include: ../../../tasks/configure_apparmor.yml
   tags:
     - mysql
     - mysqlconf
-  ignore_errors: yes
-
-- name: Ensure selinux is set permanently
-  selinux: policy=targeted state=permissive
-  tags:
-    - kvm
-  ignore_errors: yes
 
 - name: Check if mysql server is installed
   shell: rpm -q mysql-server

Ansible/tasks/configure_apparmor.yml

@@ -0,0 +1,21 @@
+---
+- name: Install apparmor-utils (Debian/Ubuntu)
+  apt:
+    pkg: apparmor-utils
+    state: present
+    update_cache: yes
+  when: ansible_distribution in ['Ubuntu', 'Debian']
+
+- name: Install apparmor-utils (SUSE)
+  shell: |
+     rpm -q apparmor-utils || zypper --non-interactive install apparmor-utils
+  when: ansible_distribution == 'SUSE'
+
+- name: Enable Apparmor enforce mode
+  shell: aa-enforce /etc/apparmor.d/*
+  changed_when: false
+
+- name: Check Apparmor status
+  command: aa-status
+  failed_when: false
+  changed_when: false

Ansible/tasks/configure_selinux.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Get current SELinux mode
+  command: getenforce
+  register: selinux_mode
+  failed_when: false
+  changed_when: false
+
+- name: Set SELinux to enforcing
+  command: setenforce Enforcing
+  changed_when: false
+  when:
+    - selinux_mode.rc == 0
+    - selinux_mode.stdout not in ['Enforcing', 'Disabled']
+
+- name: Ensure SELinux is set permanently
+  selinux:
+    policy: targeted
+    state: enforcing
+  when:
+    - selinux_mode.rc == 0
+    - selinux_mode.stdout != 'Disabled'
+
+- name: Check SELinux status
+  command: sestatus
+  failed_when: false
+  changed_when: false