Update to 2020-10-06 20:00

master
Daniel Berteaud 4 years ago
parent 74d8cbb396
commit 5a53d32ecd
  1. 5
      roles/postgresql_server/defaults/main.yml
  2. 2
      roles/postgresql_server/templates/postgresql_create_dumps.sh.j2
  3. 5
      roles/squid/files/ufdb.te
  4. 18
      roles/squid/tasks/main.yml
  5. 20
      roles/squid/tasks/selinux.yml

@ -4,10 +4,11 @@
# repo, specify the branch here, eg 96, 10, 11 # repo, specify the branch here, eg 96, 10, 11
pg_version: default pg_version: default
# Command to compress dumps. Will read from stdin and write to stdout. Set to False to disable compression # Command to compress dumps. Will read from stdin and write to stdout. Set to False to disable compression
pg_compress_cmd: zstd -T0 -c # pg_compress_cmd: zstd -T0 -c
pg_compress_cmd: False
pg_remove_dump_after_backup: True pg_remove_dump_after_backup: True
# can be text or custom (or a raw format name supported by pg_dump) # can be text or custom (or a raw format name supported by pg_dump)
pg_dump_format: text pg_dump_format: custom
pg_port: 5432 pg_port: 5432
pg_src_ip: [] pg_src_ip: []

@ -32,8 +32,10 @@ do
{% set comp_ext = 'z' %} {% set comp_ext = 'z' %}
{% endif %} {% endif %}
su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump {{ dump_options }} $DB" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/$DB.{{ dump_ext }}.{{ comp_ext }} su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump {{ dump_options }} $DB" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/$DB.{{ dump_ext }}.{{ comp_ext }}
su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump --schema-only -Fp $DB" | /bin/nice -n 10 {{ pg_compress_cmd }} > $DEST/$DB.schema.{{ dump_ext }}.{{ comp_ext }}
{% else %} {% else %}
su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump {{ dump_options }} $DB" > $DEST/$DB.{{ dump_ext }} su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump {{ dump_options }} $DB" > $DEST/$DB.{{ dump_ext }}
su - postgres -c "{{ (pg_version != 'default') | ternary('/usr/pgsql-' + pg_version | string,'') }}/bin/pg_dump --schema-only -Fp $DB" > $DEST/$DB.schema.sql
{% endif %} {% endif %}
done done
{% if pg_compress_cmd %} {% if pg_compress_cmd %}

@ -1,9 +1,9 @@
module ufdb 1.0; module ufdb 1.2;
require { require {
type initrc_tmp_t; type initrc_tmp_t;
type tmp_t;
type squid_t; type squid_t;
type initrc_t;
class sock_file write; class sock_file write;
class unix_stream_socket connectto; class unix_stream_socket connectto;
} }
@ -11,3 +11,4 @@ require {
#============= squid_t ============== #============= squid_t ==============
allow squid_t initrc_t:unix_stream_socket connectto; allow squid_t initrc_t:unix_stream_socket connectto;
allow squid_t initrc_tmp_t:sock_file write; allow squid_t initrc_tmp_t:sock_file write;
allow squid_t tmp_t:sock_file write;

@ -182,16 +182,8 @@
when: squid_clam_unit.changed or squid_c_icap_unit.changed or squid_unit.changed when: squid_clam_unit.changed or squid_c_icap_unit.changed or squid_unit.changed
tags: proxy tags: proxy
- name: Copy ufdb SELinux policy - include: selinux.yml
copy: src=ufdb.pp dest=/usr/share/selinux/packages/ufdb.pp
when: ansible_selinux.status == 'enabled' when: ansible_selinux.status == 'enabled'
tags: proxy
- name: Load ufdb SElinux policy
command: semodule -i /usr/share/selinux/packages/ufdb.pp
changed_when: False
when: ansible_selinux.status == 'enabled'
tags: proxy
- name: Create ufdbGuard log directory - name: Create ufdbGuard log directory
file: path=/var/log/ufdbGuard state=directory owner=ufdb group=ufdb mode=750 file: path=/var/log/ufdbGuard state=directory owner=ufdb group=ufdb mode=750
@ -249,8 +241,14 @@
service: name=squid-clamd state={{ squid_scan_av | ternary('started','stopped') }} enabled={{ squid_scan_av | ternary(True,False) }} service: name=squid-clamd state={{ squid_scan_av | ternary('started','stopped') }} enabled={{ squid_scan_av | ternary(True,False) }}
tags: proxy tags: proxy
# Before 1.34.6-3 provided by EPEL, the service was handled by a init script and the service was named ufdb
- name: Check if the systemd unit is installed
stat: path=/lib/systemd/system/ufdbGuard.service
register: squid_ufdb_unit
tags: proxy
- name: Handle ufdb daemon - name: Handle ufdb daemon
service: name=ufdb state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }} service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }}
tags: proxy tags: proxy
- include: filebeat.yml - include: filebeat.yml

@ -0,0 +1,20 @@
---
- name: Copy SELinux policy
copy: src=ufdb.te dest=/etc/selinux/targeted/local/
register: squid_ufdb_selinux_policy
tags: proxy
- name: Install needed packages
yum:
name: policycoreutils
tags: proxy
- name: Compile SELinux policy
shell: |
cd /etc/selinux/targeted/local/
checkmodule -M -m -o ufdb.mod ufdb.te
semodule_package -o ufdb.pp -m ufdb.mod
semodule -i /etc/selinux/targeted/local/ufdb.pp
when: squid_ufdb_selinux_policy.changed
tags: proxy
Loading…
Cancel
Save