Merge pull request #843 from Bhagyashree-shetty/devel

Issue #842: Apparmor installation on Leap and SELinux enabling on rocky

control_plane/roles/control_plane_common/tasks/pre_requisite.yml

@@ -80,28 +80,6 @@
   register: os_value
   tags: [ init, validate ]
 
-- block:
-    - name: Fetch SElinux mode
-      command: sestatus
-      register: sestatus_current
-      changed_when: false
-
-    - name: Disable SElinux
-      replace:
-        path: /etc/sysconfig/selinux
-        regexp: 'SELINUX=[a-z]+'
-        replace: 'SELINUX=disabled'
-      when: '"SELinux status: enabled" in sestatus_current.stdout_lines'
-
-    - name: Status of SElinux
-      fail:
-        msg: "{{ selinux_status }}"
-      when: '"SELinux status: enabled" in sestatus_current.stdout_lines'
-      register: selinux_value
-  tags: init
-  when:
-    - os_supported_leap not in mgmt_os
-
 - name: State of firewall
   service:
     name: firewalld

control_plane/roles/control_plane_k8s/tasks/k8s_installation.yml

@@ -19,10 +19,6 @@
     fstype: swap
     state: absent
 
-- name: Disable selinux
-  selinux:
-    state: disabled
-
 - name: Copy k8s.conf file
   copy:
     src: k8s.conf

control_plane/roles/control_plane_security/tasks/install_apparmor.yml

@@ -0,0 +1,27 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install apparmor-utils on Leap
+  zypper:
+    name: "{{ item }}"
+    state: present
+  changed_when: false
+  with_items:
+    - apparmor-utils
+    - apparmor-profiles
+  
+- name: Enable Apparmor
+  command: rcapparmor start
+  changed_when: false

control_plane/roles/control_plane_security/tasks/main.yml

@@ -39,6 +39,9 @@
     - block:
         - name: Install 389 directory server
           include_tasks: install_389ds.yml
+
+        - name: Install Apparmor on Leap
+          include_tasks: install_apparmor.yml
       when: os_supported_leap in mgmt_os
       
     - name: Install snoopy
@@ -53,4 +56,4 @@
      
     - name: Session timeout configuration
       include_tasks: session_timeout.yml
-  when: enable_security_support
+  when: enable_security_support

roles/common/tasks/main.yml

@@ -73,11 +73,6 @@
         fstype: swap
         state: absent
 
-    - name: Disable selinux
-      selinux:
-        state: disabled
-      tags: install
-
     - name: Install common packages
       package:
         name: "{{ common_packages }}"

roles/login_node/tasks/install_apparmor.yml

@@ -0,0 +1,30 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install and enable Apparmor on Leap
+  block:
+    - name: Install apparmor-utils on Leap
+      zypper:
+        name: "{{ item }}"
+        state: present
+      changed_when: false
+      with_items:
+        - apparmor-utils
+        - apparmor-profiles
+
+    - name: Enable Apparmor
+      command: rcapparmor start
+      changed_when: false
+  when: os_leap in ansible_distribution | lower

roles/login_node/tasks/main.yml

@@ -23,6 +23,9 @@
     - block:
         - name: FreeIPA configuration
           include_tasks: ipa_configuration.yml
+
+        - name: Install Apparmor on Leap
+          include_tasks: install_apparmor.yml
           
         - name: Install snoopy
           include_tasks: install_snoopy.yml