|
|
|
@ -25,9 +25,9 @@ description:
|
|
|
|
- Manages SELinux network port type definitions.
|
|
|
|
- Manages SELinux network port type definitions.
|
|
|
|
version_added: "1.7.1"
|
|
|
|
version_added: "1.7.1"
|
|
|
|
options:
|
|
|
|
options:
|
|
|
|
port:
|
|
|
|
ports:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Port number or port range
|
|
|
|
- Ports or port ranges, separated by a comma
|
|
|
|
required: true
|
|
|
|
required: true
|
|
|
|
default: null
|
|
|
|
default: null
|
|
|
|
proto:
|
|
|
|
proto:
|
|
|
|
@ -61,11 +61,11 @@ author: Dan Keder
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES = '''
|
|
|
|
EXAMPLES = '''
|
|
|
|
# Allow Apache to listen on tcp port 8888
|
|
|
|
# Allow Apache to listen on tcp port 8888
|
|
|
|
- seport: port=8888 proto=tcp setype=http_port_t state=present
|
|
|
|
- seport: ports=8888 proto=tcp setype=http_port_t state=present
|
|
|
|
# Allow sshd to listen on tcp port 8991
|
|
|
|
# Allow sshd to listen on tcp port 8991
|
|
|
|
- seport: port=8991 proto=tcp setype=ssh_port_t state=present
|
|
|
|
- seport: ports=8991 proto=tcp setype=ssh_port_t state=present
|
|
|
|
# Allow memcached to listen on tcp ports 10000-10100
|
|
|
|
# Allow memcached to listen on tcp ports 10000-10100 and 10112
|
|
|
|
- seport: port=10000-10100 proto=tcp setype=memcache_port_t state=present
|
|
|
|
- seport: ports=10000-10100,10112 proto=tcp setype=memcache_port_t state=present
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
try:
|
|
|
|
@ -104,14 +104,14 @@ def semanage_port_exists(seport, port, proto):
|
|
|
|
return record in seport.get_all()
|
|
|
|
return record in seport.get_all()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def semanage_port_add(module, port, proto, setype, do_reload, serange='s0', sestore=''):
|
|
|
|
def semanage_port_add(module, ports, proto, setype, do_reload, serange='s0', sestore=''):
|
|
|
|
""" Add SELinux port type definition to the policy.
|
|
|
|
""" Add SELinux port type definition to the policy.
|
|
|
|
|
|
|
|
|
|
|
|
:type module: AnsibleModule
|
|
|
|
:type module: AnsibleModule
|
|
|
|
:param module: Ansible module
|
|
|
|
:param module: Ansible module
|
|
|
|
|
|
|
|
|
|
|
|
:type port: basestring
|
|
|
|
:type ports: list
|
|
|
|
:param port: Port or port range to add (example: "8080", "8080-9090")
|
|
|
|
:param ports: List of ports and port ranges to add (e.g. ["8080", "8080-9090"])
|
|
|
|
|
|
|
|
|
|
|
|
:type proto: basestring
|
|
|
|
:type proto: basestring
|
|
|
|
:param proto: Protocol ('tcp' or 'udp')
|
|
|
|
:param proto: Protocol ('tcp' or 'udp')
|
|
|
|
@ -133,10 +133,11 @@ def semanage_port_add(module, port, proto, setype, do_reload, serange='s0', sest
|
|
|
|
"""
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
try:
|
|
|
|
seport = seobject.portRecords(sestore)
|
|
|
|
seport = seobject.portRecords(sestore)
|
|
|
|
change = not semanage_port_exists(seport, port, proto)
|
|
|
|
seport.set_reload(do_reload)
|
|
|
|
if change and not module.check_mode:
|
|
|
|
for port in ports:
|
|
|
|
seport.set_reload(do_reload)
|
|
|
|
change = not semanage_port_exists(seport, port, proto)
|
|
|
|
seport.add(port, proto, serange, setype)
|
|
|
|
if change and not module.check_mode:
|
|
|
|
|
|
|
|
seport.add(port, proto, serange, setype)
|
|
|
|
|
|
|
|
|
|
|
|
except ValueError as e:
|
|
|
|
except ValueError as e:
|
|
|
|
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
|
|
|
|
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
|
|
|
|
@ -152,14 +153,14 @@ def semanage_port_add(module, port, proto, setype, do_reload, serange='s0', sest
|
|
|
|
return change
|
|
|
|
return change
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def semanage_port_del(module, port, proto, do_reload, sestore=''):
|
|
|
|
def semanage_port_del(module, ports, proto, do_reload, sestore=''):
|
|
|
|
""" Delete SELinux port type definition from the policy.
|
|
|
|
""" Delete SELinux port type definition from the policy.
|
|
|
|
|
|
|
|
|
|
|
|
:type module: AnsibleModule
|
|
|
|
:type module: AnsibleModule
|
|
|
|
:param module: Ansible module
|
|
|
|
:param module: Ansible module
|
|
|
|
|
|
|
|
|
|
|
|
:type port: basestring
|
|
|
|
:type ports: list
|
|
|
|
:param port: Port or port range to delete (example: "8080", "8080-9090")
|
|
|
|
:param ports: List of ports and port ranges to delete (e.g. ["8080", "8080-9090"])
|
|
|
|
|
|
|
|
|
|
|
|
:type proto: basestring
|
|
|
|
:type proto: basestring
|
|
|
|
:param proto: Protocol ('tcp' or 'udp')
|
|
|
|
:param proto: Protocol ('tcp' or 'udp')
|
|
|
|
@ -175,10 +176,11 @@ def semanage_port_del(module, port, proto, do_reload, sestore=''):
|
|
|
|
"""
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
try:
|
|
|
|
seport = seobject.portRecords(sestore)
|
|
|
|
seport = seobject.portRecords(sestore)
|
|
|
|
change = not semanage_port_exists(seport, port, proto)
|
|
|
|
seport.set_reload(do_reload)
|
|
|
|
if change and not module.check_mode:
|
|
|
|
for port in ports:
|
|
|
|
seport.set_reload(do_reload)
|
|
|
|
change = not semanage_port_exists(seport, port, proto)
|
|
|
|
seport.delete(port, proto)
|
|
|
|
if change and not module.check_mode:
|
|
|
|
|
|
|
|
seport.delete(port, proto)
|
|
|
|
|
|
|
|
|
|
|
|
except ValueError as e:
|
|
|
|
except ValueError as e:
|
|
|
|
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
|
|
|
|
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
|
|
|
|
@ -197,7 +199,7 @@ def semanage_port_del(module, port, proto, do_reload, sestore=''):
|
|
|
|
def main():
|
|
|
|
def main():
|
|
|
|
module = AnsibleModule(
|
|
|
|
module = AnsibleModule(
|
|
|
|
argument_spec={
|
|
|
|
argument_spec={
|
|
|
|
'port': {
|
|
|
|
'ports': {
|
|
|
|
'required': True,
|
|
|
|
'required': True,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
'proto': {
|
|
|
|
'proto': {
|
|
|
|
@ -228,22 +230,23 @@ def main():
|
|
|
|
if not selinux.is_selinux_enabled():
|
|
|
|
if not selinux.is_selinux_enabled():
|
|
|
|
module.fail_json(msg="SELinux is disabled on this host.")
|
|
|
|
module.fail_json(msg="SELinux is disabled on this host.")
|
|
|
|
|
|
|
|
|
|
|
|
port = module.params['port']
|
|
|
|
ports = [x.strip() for x in module.params['ports'].split(',')]
|
|
|
|
proto = module.params['proto']
|
|
|
|
proto = module.params['proto']
|
|
|
|
setype = module.params['setype']
|
|
|
|
setype = module.params['setype']
|
|
|
|
state = module.params['state']
|
|
|
|
state = module.params['state']
|
|
|
|
do_reload = module.params['reload']
|
|
|
|
do_reload = module.params['reload']
|
|
|
|
|
|
|
|
|
|
|
|
result = {}
|
|
|
|
result = {
|
|
|
|
result['port'] = port
|
|
|
|
'ports': ports,
|
|
|
|
result['proto'] = proto
|
|
|
|
'proto': proto,
|
|
|
|
result['setype'] = setype
|
|
|
|
'setype': setype,
|
|
|
|
result['state'] = state
|
|
|
|
'state': state,
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if state == 'present':
|
|
|
|
if state == 'present':
|
|
|
|
result['changed'] = semanage_port_add(module, port, proto, setype, do_reload)
|
|
|
|
result['changed'] = semanage_port_add(module, ports, proto, setype, do_reload)
|
|
|
|
elif state == 'absent':
|
|
|
|
elif state == 'absent':
|
|
|
|
result['changed'] = semanage_port_del(module, port, proto, do_reload)
|
|
|
|
result['changed'] = semanage_port_del(module, ports, proto, do_reload)
|
|
|
|
else:
|
|
|
|
else:
|
|
|
|
module.fail_json(msg='Invalid value of argument "state": {0}'.format(state))
|
|
|
|
module.fail_json(msg='Invalid value of argument "state": {0}'.format(state))
|
|
|
|
|
|
|
|
|
|
|
|
|
Dan Keder
9 years ago
committed by