Bypass SELinux on Ubuntu

noobient · Nov 17, 2023 · b30ecdb · b30ecdb
1 parent 5807944
commit b30ecdb
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 27 deletions.
diff --git a/tasks/host.yml b/tasks/host.yml
@@ -9,33 +9,8 @@
     backup: true
   notify: Reload nginx
 
-- name: Check for SELinux port definition conflicts
-  shell:
-    cmd: "semanage port -l | grep ' tcp ' | grep -P ' {{ se_conflict_item }}(,| |$)' | awk '{print $1}'"
-  changed_when: false
-  failed_when: false
-  loop:
-    - "{{ eff_host_port }}"
-    - "{{ eff_proxy_port }}"
-  loop_control:
-    loop_var: se_conflict_item
-  register: se_conflict_check
-  when: (eff_proxy_port | string not in stock_http_cache_ports | string) or (eff_host_port | string not in stock_http_ports | string)
-
-- debug:
-    msg: "{% if se_conflict_output.stdout | length and se_conflict_output.stdout != 'http_port_t' and se_conflict_output.stdout != 'http_cache_port_t' %}Warning: port {{ se_conflict_output.se_conflict_item }} seems to conflict with the definition of '{{ se_conflict_output.stdout }}', module installation will likely fail.{% else %}No SELinux port conflict detected.{% endif %}"
-  loop: "{{ se_conflict_check.results }}"
-  loop_control:
-    loop_var: se_conflict_output
-    label: "{{ se_conflict_output.se_conflict_item }}"
-  when: not se_conflict_check.skipped
-
-- include_role:
-    name: noobient.selinux_cil
-  vars:
-    module: "noobient-nginx_{{ domain }}"
-    custom_src: noobient-nginx_custom
-  when: (eff_proxy_port | string not in stock_http_cache_ports | string) or (eff_host_port | string not in stock_http_ports | string)
+- include_tasks: selinux.yml
+  when: ansible_pkg_mgr == 'dnf'
 
 - name: "Enable {{ domain }} host"
   file:

diff --git a/tasks/selinux.yml b/tasks/selinux.yml
@@ -0,0 +1,28 @@
+---
+- name: Check for SELinux port definition conflicts
+  shell:
+    cmd: "semanage port -l | grep ' tcp ' | grep -P ' {{ se_conflict_item }}(,| |$)' | awk '{print $1}'"
+  changed_when: false
+  failed_when: false
+  loop:
+    - "{{ eff_host_port }}"
+    - "{{ eff_proxy_port }}"
+  loop_control:
+    loop_var: se_conflict_item
+  register: se_conflict_check
+  when: (eff_proxy_port | string not in stock_http_cache_ports | string) or (eff_host_port | string not in stock_http_ports | string)
+
+- debug:
+    msg: "{% if se_conflict_output.stdout | length and se_conflict_output.stdout != 'http_port_t' and se_conflict_output.stdout != 'http_cache_port_t' %}Warning: port {{ se_conflict_output.se_conflict_item }} seems to conflict with the definition of '{{ se_conflict_output.stdout }}', module installation will likely fail.{% else %}No SELinux port conflict detected.{% endif %}"
+  loop: "{{ se_conflict_check.results }}"
+  loop_control:
+    loop_var: se_conflict_output
+    label: "{{ se_conflict_output.se_conflict_item }}"
+  when: not se_conflict_check.skipped
+
+- include_role:
+    name: noobient.selinux_cil
+  vars:
+    module: "noobient-nginx_{{ domain }}"
+    custom_src: noobient-nginx_custom
+  when: (eff_proxy_port | string not in stock_http_cache_ports | string) or (eff_host_port | string not in stock_http_ports | string)