add selinux tasks; restructuring

2019-02-12 23:31:40 +01:00 · 2019-02-12 23:31:40 +01:00 · a2c3af18ca
commit a2c3af18ca
parent 10a46a1d51
6 changed files with 51 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,6 +1,8 @@
 ---
 # not working currently
 cups_version: 2.2.10
+cups_admin_username: cupsadm
+cups_admin_password: secure

 cups_bind_url:
  - localhost:631
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -13,11 +13,13 @@
      yum:
        name: "{{ __cups_rpm_files }}"
        state: present
+      notify: __cupsd_restart

    - name: Install custom driver packages
      yum:
        name: "{{ cups_custom_driver_packages }}"
        state: present
+      notify: __cupsd_restart

    - name: Deploy global config files
      template:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,5 +1,8 @@
 ---
+- include_tasks: prepare.yml
 - include_tasks: install.yml
+- include_tasks: selinux.yml
+  when: ansible_selinux
 - import_tasks: nginx.yml
  when: cups_nginx_vhost_enabled
 - include_tasks: post_tasks.yml
--- a/tasks/prepare.yml
+++ b/tasks/prepare.yml
@ -0,0 +1,10 @@
+---
+- block:
+    - name: Create user '{{ cups_admin_username }}'
+      user:
+        comment: Cups Admin
+        name: "{{ cups_admin_username }}"
+        password: "{{ cups_admin_password }}"
+        groups: printadmin
+  become: True
+  become_user: root
--- a/tasks/selinux.yml
+++ b/tasks/selinux.yml
@ -0,0 +1,32 @@
+---
+- block:
+    - name: Add SELinux file context mapping definitions
+      sefcontext:
+        target: "{{ item.target }}"
+        setype: "{{ item.setype }}"
+        state: present
+      loop:
+        - { target: '/opt/brother', setype: 'bin_t' }
+        - { target: '/etc/opt/brother', setype: 'cupsd_rw_etc_t' }
+        - { target: '/opt/brother/Printers/(.*/)?inf(/.*)?', setype: 'cupsd_rw_etc_t' }
+        - { target: '/opt/brother/Printers/(.*/)?lpd(/.*)?', setype: 'bin_t' }
+        - { target: '/opt/brother/Printers/(.*/)?cupswrapper(/.*)?', setype: 'bin_t' }
+      notify: __cupsd_restart
+
+    - name: Apply new SELinux file context to filesystem
+      command: "restorecon {{ item }}"
+      loop:
+        - -R /opt/brother
+        - -R /etc/opt/brother
+        - -R /opt/brother/Printers
+        - -RFv /usr/lib/cups/filter
+      notify: __cupsd_restart
+
+    - name: Allow cups execmem/execstack
+      seboolean:
+        name: cups_execmem
+        state: yes
+        persistent: yes
+      notify: __cupsd_restart
+  become: True
+  become_user: root
--- a/templates/etc/cups/cupsd.conf.j2
+++ b/templates/etc/cups/cupsd.conf.j2
@ -36,6 +36,8 @@ WebInterface Yes

 # Restrict access to the admin pages...
 <Location /admin>
+  AuthType Default
+  Require user @SYSTEM
  Order allow,deny
 </Location>