airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From machris...@apache.org
Subject [12/27] airavata git commit: changed selinux disable to permissive
Date Wed, 08 Mar 2017 15:15:24 GMT
changed selinux disable to permissive

Selinux disabling requires reboot, changing to permissive
mode does not. Permissive mode logs all potential actions, thus
allowing one to build a working selinux profile from the logs, giving
potential for a seamless move to enforcing mode (provided one doesn't
build a profile from an owned machine...). Added this task to only
run on RedHat machines, though selinux *can* and should be installed
on Debian as well, not putting time on this till it's a priority.


Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/193f3b5a
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/193f3b5a
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/193f3b5a

Branch: refs/heads/develop
Commit: 193f3b5a143c069d4c9f1af655a7094d28ed7150
Parents: bb96168
Author: jecoulte <jecoulte@iu.edu>
Authored: Fri Jan 27 11:43:15 2017 -0500
Committer: jecoulte <jecoulte@iu.edu>
Committed: Fri Jan 27 11:43:15 2017 -0500

----------------------------------------------------------------------
 dev-tools/ansible/roles/pga/tasks/main.yml | 26 +++++++++----------------
 1 file changed, 9 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/airavata/blob/193f3b5a/dev-tools/ansible/roles/pga/tasks/main.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/roles/pga/tasks/main.yml b/dev-tools/ansible/roles/pga/tasks/main.yml
index 974ab58..3244e43 100644
--- a/dev-tools/ansible/roles/pga/tasks/main.yml
+++ b/dev-tools/ansible/roles/pga/tasks/main.yml
@@ -21,26 +21,18 @@
   file: path="{{ user_data_dir }}" state=directory owner="{{user}}" group="{{group}}" mode=0777
recurse=yes
   become: yes
 
-  #Make sure selinux is dissabled in remote machine
+# - name: Allow selinux outbound connection from web server
+  # command: setsebool -P httpd_can_network_connect 1
+
+#SHOULD MAKE A PROFILE RATHER THAN DISABLING. SELINUX IS *GOOD*
+# going to permissive from enforcing doesn't require a reboot
+# permissive allows all, but still logs, allowing easy build
+# of a working profile.
 - name: Disable selinux
-  selinux: state=disabled
+  selinux: state=permissive policy=default
   become: yes
   register: selinux_disable
-
-# need to restart after disable selinux
-- name: restart machine
-  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
-  async: 1
-  poll: 0
-  become: yes
-  ignore_errors: true
-  when: (selinux_disable|success) and (selinux_disable.changed == true)
-  register: restart
-
-- name: waiting for server to come back
-  local_action: wait_for host={{ inventory_hostname }} state=started delay=30 timeout=60
-  when: (restart|success) and (restart.changed == true)
-
+  when: ansible_os_family == "RedHat"
 
 - name: Run composer update
   composer: command=update working_dir="{{ doc_root_dir }}"


Mime
View raw message