Vathsa's DevOps - Command Line Selinux Ansible Firewall

 

Selinux  rhel8 useful commands 

semanage import <<EOF

boolean -D

login -D

interface -D

user -D

port -D

node -D

fcontext -D

module -D

ibendport -D

ibpkey -D

permissive -D

boolean -m -1 collectd_tcp_network_connect

boolean -m -1 daemons_enable_cluster_mode

boolean -m -1 domain_can_mmap_files

boolean -m -1 domain_kernel_load_modules

boolean -m -1 glance_api_can_network

boolean -m -1 glance_use_execmem

boolean -m -1 glance_use_fusefs

boolean -m -1 haproxy_connect_any

boolean -m -1 httpd_can_network_connect

boolean -m -1 httpd_execmem

boolean -m -1 httpd_use_openstack

boolean -m -1 logrotate_read_inside_containers

boolean -m -1 neutron_can_network

boolean -m -1 nis_enabled

boolean -m -1 os_cinder_use_nfs

boolean -m -1 os_glance_dac_override

boolean -m -1 os_glance_use_nfs

boolean -m -1 os_glance_use_sudo

boolean -m -1 os_gnocchi_use_nfs

boolean -m -1 os_haproxy_dac_override

boolean -m -1 os_httpd_wsgi

boolean -m -1 os_keepalived_dac_override

boolean -m -1 os_keystone_use_execmem

boolean -m -1 os_neutron_use_execmem

boolean -m -1 os_nova_use_execmem

boolean -m -1 os_openvswitch_dac_override

boolean -m -1 os_swift_use_execmem

boolean -m -1 os_virtlog_dac_override

boolean -m -1 os_virtlogd_use_nfs

boolean -m -1 rsync_client

boolean -m -1 rsync_full_access

boolean -m -1 swift_can_network

boolean -m -1 virt_sandbox_use_all_caps

boolean -m -1 virt_sandbox_use_netlink

boolean -m -1 virt_use_execmem

boolean -m -1 virt_use_fusefs

boolean -m -1 virt_use_nfs

port -a -t mysqld_port_t -r 's0' -p tcp 4444

port -a -t ovsdb_port_t -r 's0' -p tcp 6639

port -a -t ovsdb_port_t -r 's0' -p tcp 6641

port -a -t ovsdb_port_t -r 's0' -p tcp 6642

port -a -t openvswitch_port_t -r 's0' -p tcp 6653

port -a -t http_port_t -r 's0' -p tcp 8000

port -a -t http_port_t -r 's0' -p tcp 8088

port -a -t http_port_t -r 's0' -p tcp 8787

port -a -t http_port_t -r 's0' -p tcp 13787

fcontext -a -f a -t httpd_sys_content_t -r 's0' '/httpboot(/.*)?'

fcontext -a -f a -t tftpdir_t -r 's0' '/tftpboot(/.*)?'

fcontext -a -f a -t neutron_exec_t -r 's0' '/usr/bin/neutron-rootwrap-daemon'

fcontext -a -f a -t neutron_exec_t -r 's0' '/usr/bin/neutron-vpn-agent'

fcontext -a -f a -t swift_exec_t -r 's0' '/usr/bin/swift-object-reconstructor'

fcontext -a -f a -t swift_exec_t -r 's0' '/usr/bin/swift-object-relinker'

fcontext -a -f a -t swift_var_cache_t -r 's0' '/var/cache/swift(/.*)?'

fcontext -a -f a -t container_file_t -r 's0' '/var/lib/config-data(/.*)?'

fcontext -a -f a -t named_zone_t -r 's0' '/var/lib/designate/bind9(/.*)?'

fcontext -a -f a -t container_file_t -r 's0' '/var/lib/kolla(/.*)?'

fcontext -a -f a -t mongod_var_lib_t -r 's0' '/var/lib/mongodb(/.*)?'

fcontext -a -f a -t ssh_home_t -r 's0' '/var/lib/nova/.ssh(/.*)?'

fcontext -a -f a -t httpd_var_lib_t -r 's0' '/var/lib/openstack-dashboard'

fcontext -a -f a -t container_file_t -r 's0' '/var/lib/tripleo-config(/.*)?'

fcontext -a -f a -t virt_cache_t -r 's0' '/var/lib/vhost_sockets(/.*)?'

fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/aodh/app.log'

fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/ceilometer/app.log'

fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/gnocchi/app.log'

fcontext -a -f a -t cluster_var_log_t -r 's0' '/var/log/pacemaker.log.*'

fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/panko/app.log'

fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/zaqar/zaqar.log'

fcontext -a -e / /opt/rh/gcc-toolset-13/root

EOF

VIA Ansible

- name: Allow collectd to tcp network connect

  command: semanage boolean -m --on collectd_tcp_network_connect

- name: Allow daemons to enable cluster mode

  command: semanage boolean -m --on daemons_enable_cluster_mode

- name: Allow domain to can mmap files

  command: semanage boolean -m --on domain_can_mmap_files

- name: Allow domain to kernel load modules

  command: semanage boolean -m --on domain_kernel_load_modules

- name: Allow glance to api can network

  command: semanage boolean -m --on glance_api_can_network

- name: Allow glance to use execmem

  command: semanage boolean -m --on glance_use_execmem

- name: Allow glance to use fusefs

  command: semanage boolean -m --on glance_use_fusefs

- name: Allow haproxy to connect any

  command: semanage boolean -m --on haproxy_connect_any

- name: Allow httpd to can network connect

  command: semanage boolean -m --on httpd_can_network_connect

- name: Allow httpd to execmem

  command: semanage boolean -m --on httpd_execmem

- name: Allow httpd to use openstack

  command: semanage boolean -m --on httpd_use_openstack

- name: Allow logrotate to read inside containers

  command: semanage boolean -m --on logrotate_read_inside_containers

- name: Allow neutron to can network

  command: semanage boolean -m --on neutron_can_network

- name: Allow nis to enabled

  command: semanage boolean -m --on nis_enabled

- name: Allow os to cinder use nfs

  command: semanage boolean -m --on os_cinder_use_nfs

- name: Allow os to glance dac override

  command: semanage boolean -m --on os_glance_dac_override

- name: Allow os to glance use nfs

  command: semanage boolean -m --on os_glance_use_nfs

- name: Allow os to glance use sudo

  command: semanage boolean -m --on os_glance_use_sudo

- name: Allow os to gnocchi use nfs

  command: semanage boolean -m --on os_gnocchi_use_nfs

- name: Allow os to haproxy dac override

  command: semanage boolean -m --on os_haproxy_dac_override

- name: Allow os to httpd wsgi

  command: semanage boolean -m --on os_httpd_wsgi

- name: Allow os to keepalived dac override

  command: semanage boolean -m --on os_keepalived_dac_override

- name: Allow os to keystone use execmem

  command: semanage boolean -m --on os_keystone_use_execmem

- name: Allow os to neutron use execmem

  command: semanage boolean -m --on os_neutron_use_execmem

- name: Allow os to nova use execmem

  command: semanage boolean -m --on os_nova_use_execmem

- name: Allow os to openvswitch dac override

  command: semanage boolean -m --on os_openvswitch_dac_override

- name: Allow os to swift use execmem

  command: semanage boolean -m --on os_swift_use_execmem

- name: Allow os to virtlog dac override

  command: semanage boolean -m --on os_virtlog_dac_override

- name: Allow os to virtlogd use nfs

  command: semanage boolean -m --on os_virtlogd_use_nfs

- name: Allow rsync to client

  command: semanage boolean -m --on rsync_client

- name: Allow rsync to full access

  command: semanage boolean -m --on rsync_full_access

- name: Allow swift to can network

  command: semanage boolean -m --on swift_can_network

- name: Allow virt to sandbox use all caps

  command: semanage boolean -m --on virt_sandbox_use_all_caps

- name: Allow virt to sandbox use netlink

  command: semanage boolean -m --on virt_sandbox_use_netlink

- name: Allow virt to use execmem

  command: semanage boolean -m --on virt_use_execmem

- name: Allow virt to use fusefs

  command: semanage boolean -m --on virt_use_fusefs

- name: Allow virt to use nfs

  command: semanage boolean -m --on virt_use_nfs

- name: Set up port customizations

  shell: |

    semanage port -D

    semanage port -a -t mysqld_port_t -r 's0' -p tcp 4444

    semanage port -a -t ovsdb_port_t -r 's0' -p tcp 6639

    semanage port -a -t ovsdb_port_t -r 's0' -p tcp 6641

    semanage port -a -t ovsdb_port_t -r 's0' -p tcp 6642

    semanage port -a -t openvswitch_port_t -r 's0' -p tcp 6653

    semanage port -a -t http_port_t -r 's0' -p tcp 8000

    semanage port -a -t http_port_t -r 's0' -p tcp 8088

    semanage port -a -t http_port_t -r 's0' -p tcp 8787

    semanage port -a -t http_port_t -r 's0' -p tcp 13787

- name: Set up fcontext customizations

  shell: |

    semanage fcontext -D

    semanage fcontext -a -f a -t httpd_sys_content_t -r 's0' '/httpboot(/.*)?'

    semanage fcontext -a -f a -t tftpdir_t -r 's0' '/tftpboot(/.*)?'

    semanage fcontext -a -f a -t neutron_exec_t -r 's0' '/usr/bin/neutron-rootwrap-daemon'

    semanage fcontext -a -f a -t neutron_exec_t -r 's0' '/usr/bin/neutron-vpn-agent'

    semanage fcontext -a -f a -t swift_exec_t -r 's0' '/usr/bin/swift-object-reconstructor'

    semanage fcontext -a -f a -t swift_exec_t -r 's0' '/usr/bin/swift-object-relinker'

    semanage fcontext -a -f a -t swift_var_cache_t -r 's0' '/var/cache/swift(/.*)?'

    semanage fcontext -a -f a -t container_file_t -r 's0' '/var/lib/config-data(/.*)?'

    semanage fcontext -a -f a -t named_zone_t -r 's0' '/var/lib/designate/bind9(/.*)?'

    semanage fcontext -a -f a -t container_file_t -r 's0' '/var/lib/kolla(/.*)?'

    semanage fcontext -a -f a -t mongod_var_lib_t -r 's0' '/var/lib/mongodb(/.*)?'

    semanage fcontext -a -f a -t ssh_home_t -r 's0' '/var/lib/nova/.ssh(/.*)?'

    semanage fcontext -a -f a -t httpd_var_lib_t -r 's0' '/var/lib/openstack-dashboard'

    semanage fcontext -a -f a -t container_file_t -r 's0' '/var/lib/tripleo-config(/.*)?'

    semanage fcontext -a -f a -t virt_cache_t -r 's0' '/var/lib/vhost_sockets(/.*)?'

    semanage fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/aodh/app.log'

    semanage fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/ceilometer/app.log'

    semanage fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/gnocchi/app.log'

    semanage fcontext -a -f a -t cluster_var_log_t -r 's0' '/var/log/pacemaker.log.*'

    semanage fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/panko/app.log'

    semanage fcontext -a -f a -t httpd_log_t -r 's0' '/var/log/zaqar/zaqar.log'

    semanage fcontext -a -e / /opt/rh/gcc-toolset-13/root