openstack/validations-common
Code Issues Proposed changes
validations-common/doc/source/roles/role-validate_selinux.rst
Gael Chamoulaud (Strider) 28c7af3ea1
[validate_selinux] Add role documentation in sphinx 
This patch adds the documentation directly in the sphinx role
documentation index. All variables have been commented with a proper
description to be included automatically in the sphinx build.

This patch changes the default value for the
validate_selinux_working_dir variable to /tmp instead of
/var/log/validations to be consistent with the default used in the
playbook.

Moreover, this validation will warn the user when Untracked SELinux AVCs
are found instead of using the debug module and the strict mode
information is now displayed at the end.

NB: this patch also explicitly disables the facts gathering because this
validation doesn't need them.

Change-Id: Id337cbd89ab9368ee7e02d9c710861b134929ec7
Signed-off-by: Gael Chamoulaud (Strider) <gchamoul@redhat.com>
2021-06-29 11:17:36 +02:00

1.3 KiB
Raw Blame History

validate_selinux

About The Role

An Ansible role to ensure we don't have any SELinux denials on the host(s).

Requirements

No requirements.

Dependencies

No dependencies.

Example Playbook

- hosts: localhost
  gather_facts: false
  vars:
    validate_selinux_working_dir: /tmp
    validate_selinux_audit_source: /var/log/audit/audit.log
    validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
    validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
    validate_selinux_strict: false
    validate_selinux_filter: "None"
    validate_selinux_skip_list:
      - entry: 'tcontext=system_u:system_r:init_t'
        comment: 'This one is a real-life entry'
      - entry: 'tcontext=system_u:system_r:system_dbusd_t'
        comment: 'This one is another real-life entry'
  roles:
    - validate_selinux

License

Apache

Author Information

Red Hat TripleO DFG:DF Squad:VF

Full Description