From 5a53d32ecd6c0e83610406c4eb2b920488f27bb7 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Tue, 6 Oct 2020 20:00:09 +0200 Subject: [PATCH] Update to 2020-10-06 20:00 --- roles/postgresql_server/defaults/main.yml | 5 +++-- .../templates/postgresql_create_dumps.sh.j2 | 2 ++ roles/squid/files/ufdb.te | 5 +++-- roles/squid/tasks/main.yml | 18 ++++++++---------- roles/squid/tasks/selinux.yml | 20 ++++++++++++++++++++ 5 files changed, 36 insertions(+), 14 deletions(-) create mode 100644 roles/squid/tasks/selinux.yml diff --git a/roles/postgresql_server/defaults/main.yml b/roles/postgresql_server/defaults/main.yml index db2f2a8..e18f655 100644 --- a/roles/postgresql_server/defaults/main.yml +++ b/roles/postgresql_server/defaults/main.yml @@ -4,10 +4,11 @@ # repo, specify the branch here, eg 96, 10, 11 pg_version: default # Command to compress dumps. Will read from stdin and write to stdout. Set to False to disable compression -pg_compress_cmd: zstd -T0 -c +# pg_compress_cmd: zstd -T0 -c +pg_compress_cmd: False pg_remove_dump_after_backup: True # can be text or custom (or a raw format name supported by pg_dump) -pg_dump_format: text +pg_dump_format: custom pg_port: 5432 pg_src_ip: [] diff --git a/roles/postgresql_server/templates/postgresql_create_dumps.sh.j2 b/roles/postgresql_server/templates/postgresql_create_dumps.sh.j2 index 67e12e2..71ddc0a 100644 --- a/roles/postgresql_server/templates/postgresql_create_dumps.sh.j2 +++ b/roles/postgresql_server/templates/postgresql_create_dumps.sh.j2 @@ -32,8 +32,10 @@ do {% set comp_ext = 'z' %} {% endif %} su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump {{ dump_options }} $DB" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/$DB.{{ dump_ext }}.{{ comp_ext }} + su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump --schema-only -Fp $DB" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/$DB.schema.{{ dump_ext }}.{{ comp_ext }} {% else %} su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump {{ dump_options }} $DB" > $DEST/$DB.{{ dump_ext }} + su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump --schema-only -Fp $DB" > $DEST/$DB.schema.sql {% endif %} done {% if pg_compress_cmd %} diff --git a/roles/squid/files/ufdb.te b/roles/squid/files/ufdb.te index 09bc185..1beef2e 100644 --- a/roles/squid/files/ufdb.te +++ b/roles/squid/files/ufdb.te @@ -1,9 +1,9 @@ -module ufdb 1.0; +module ufdb 1.2; require { type initrc_tmp_t; + type tmp_t; type squid_t; - type initrc_t; class sock_file write; class unix_stream_socket connectto; } @@ -11,3 +11,4 @@ require { #============= squid_t ============== allow squid_t initrc_t:unix_stream_socket connectto; allow squid_t initrc_tmp_t:sock_file write; +allow squid_t tmp_t:sock_file write; diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml index 02a9e4a..75c2909 100644 --- a/roles/squid/tasks/main.yml +++ b/roles/squid/tasks/main.yml @@ -182,16 +182,8 @@ when: squid_clam_unit.changed or squid_c_icap_unit.changed or squid_unit.changed tags: proxy -- name: Copy ufdb SELinux policy - copy: src=ufdb.pp dest=/usr/share/selinux/packages/ufdb.pp +- include: selinux.yml when: ansible_selinux.status == 'enabled' - tags: proxy - -- name: Load ufdb SElinux policy - command: semodule -i /usr/share/selinux/packages/ufdb.pp - changed_when: False - when: ansible_selinux.status == 'enabled' - tags: proxy - name: Create ufdbGuard log directory file: path=/var/log/ufdbGuard state=directory owner=ufdb group=ufdb mode=750 @@ -249,8 +241,14 @@ service: name=squid-clamd state={{ squid_scan_av | ternary('started','stopped') }} enabled={{ squid_scan_av | ternary(True,False) }} tags: proxy + # Before 1.34.6-3 provided by EPEL, the service was handled by a init script and the service was named ufdb +- name: Check if the systemd unit is installed + stat: path=/lib/systemd/system/ufdbGuard.service + register: squid_ufdb_unit + tags: proxy + - name: Handle ufdb daemon - service: name=ufdb state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }} + service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }} tags: proxy - include: filebeat.yml diff --git a/roles/squid/tasks/selinux.yml b/roles/squid/tasks/selinux.yml new file mode 100644 index 0000000..c8deee4 --- /dev/null +++ b/roles/squid/tasks/selinux.yml @@ -0,0 +1,20 @@ +--- + +- name: Copy SELinux policy + copy: src=ufdb.te dest=/etc/selinux/targeted/local/ + register: squid_ufdb_selinux_policy + tags: proxy + +- name: Install needed packages + yum: + name: policycoreutils + tags: proxy + +- name: Compile SELinux policy + shell: | + cd /etc/selinux/targeted/local/ + checkmodule -M -m -o ufdb.mod ufdb.te + semodule_package -o ufdb.pp -m ufdb.mod + semodule -i /etc/selinux/targeted/local/ufdb.pp + when: squid_ufdb_selinux_policy.changed + tags: proxy