Merge pull request #1136 from berndfinger/combine-selinux-and-fapolicyd-dir-definitions-02

sap_hana_install: simplified and more flexible SELinux and fapolicyd handling

Author: berndfinger

roles/sap_hana_install/README.md

@@ -229,9 +229,9 @@ This part is performed when:
 - Existing SAP HANA was not detected.
 
 Steps:
-1. If the variable `sap_hana_install_use_fapolicyd` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts.
+1. If the variable `sap_hana_install_configure_fapolicyd` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts.
 2. Configure permissions for the SAP HANA directories on all new hosts.
-3. If the variable `sap_hana_install_modify_selinux_labels` is set to `true`, configure `SElinux` on all new hosts.
+3. If the variable `sap_hana_install_configure_selinux` is set to `true`, configure `SELinux` on all new hosts.
 4. Prepare the directory defined in variable `sap_hana_install_software_directory`.
 5. If the `hdblcm` was not found in the directory `sap_hana_install_software_directory`:
     - Find latest `SAPCAR` executable in the directory `sap_hana_install_software_directory` and use latest one matching OS Architecture.
@@ -253,9 +253,9 @@ Steps:
     - Generate password hash for `sapadm` user using the value of `sap_hana_install_sapadm_password` variable.
 2. Create the user `<sid>adm` on all addhosts.
     - This is not required during installation, because the `root` user is used instead.
-3. If the variable `sap_hana_install_use_fapolicyd` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts.
+3. If the variable `sap_hana_install_configure_fapolicyd` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts.
 4. Configure permissions for the SAP HANA directories on all new hosts.
-5. If the variable `sap_hana_install_modify_selinux_labels` is set to `true`, configure `SElinux` on all new hosts.
+5. If the variable `sap_hana_install_configure_selinux` is set to `true`, configure `SELinux` on all new hosts.
 6. If the file `configfiles/configfile.cfg` is found in the directory defined in `sap_hana_install_software_directory`, make copy of it and use it for installation.
     - If the file was not found, create template using `hdblcm` command and fill it in with jinja2 template.
 
@@ -291,8 +291,9 @@ Steps:
 4. Recreate the initial tenant database if the variable `sap_hana_install_recreate_tenant_database` is set to `true`, for new installations.
 5. Set expiration of unix users to `never` if the variable `sap_hana_install_set_sidadm_noexpire` is set to `true`, for new installations.
 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`.
-7. Apply SElinux policies if the variable `sap_hana_install_modify_selinux_labels` is set to `true`.
-8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_use_fapolicyd` is set to `true`.
+7. Apply SELinux policies if the variable `sap_hana_install_configure_selinux` is set to `true`.
+8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicyd` is set to `true`.
+Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service.
 9. Output final status of installed system.
 
 
@@ -304,8 +305,9 @@ Steps:
 1. Update Secure User Store configuration (`hdbuserstore`) for `<sid>adm` user, for new hosts.
 5. Set expiration of unix users to `never` if the variable `sap_hana_install_set_sidadm_noexpire` is set to `true`, for new hosts.
 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`.
-7. Apply SElinux policies if the variable `sap_hana_install_modify_selinux_labels` is set to `true`.
-8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_use_fapolicyd` is set to `true`.
+7. Apply SELinux policies if the variable `sap_hana_install_configure_selinux` is set to `true`.
+8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicyd` is set to `true`.
+Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service.
 9. Output final status of installed system.
 <!-- END Execution Flow -->
 

roles/sap_hana_install/defaults/main.yml

@@ -32,24 +32,29 @@ sap_hana_install_keep_copied_sarfiles: false
 
 # (RedHat specific) fapolicyd package is present on RedHat systems
 # For installing SAP HANA with fapolicyd support, set the following variable to `true`:
-sap_hana_install_use_fapolicyd: false
+sap_hana_install_configure_fapolicyd: false
 
-# (RedHat specific) fapolicyd package is present on RedHat systems
+# (RedHat specific) desired fapolicyd service status (only if sap_hana_install_configure_fapolicyd is 'true')
+# For not enabling and not starting the fapolicyd service after the installation has finished, set the following
+# variable to `false`:
+sap_hana_install_enable_fapolicyd: true
+
+# (RedHat specific) fapolicyd integrity level
 # When using fapolicyd, you can set the following variable to one of `none`, `size`, `sha256`, or `ima`. Note that before setting
 # to `ima`, it is essential to prepare the system accordingly (e.g. boot with a different kernel parameter). See the
 # RHEL 9 Managing, monitoring, and updating the kernel guide for more information on this topic.
 sap_hana_install_fapolicyd_integrity: 'sha256'
 
-# (RedHat specific) fapolicyd package is present on RedHat systems
+# (RedHat specific) name of fapolicyd rule file for protecting shell scripts
 # When using fapolicyd, the following variable is used to define the fapolicyd rule file in which the rules for
 # protecting shell scripts are stored. The rule file will be created in the directory '/etc/fapolicyd/rules.d'.
 # Note: The mandatory file ending '.rules' will be added in the corresponding task of this role.
 sap_hana_install_fapolicyd_rule_file: '71-sap-shellscripts'
 
-# (RedHat specific) fapolicyd package is present on RedHat systems
-# When using fapolicyd, modify the following variable to change or add the directories which contain SAP HANA executables:
-sap_hana_install_fapolicyd_trusted_directories:
+# Directories which are used for the SAP HANA installation (relevant for SELinux relabeling and for fapolicyd protection)
+sap_hana_install_directories:
   - "{{ sap_hana_install_root_path }}"
+  - '/lss/shared'
   - '/usr/sap'
 
 # File name of SAPCAR*EXE in the software directory. If the variable is not set and there is more than one SAPCAR executable
@@ -117,10 +122,11 @@ sap_hana_install_new_system: true
 # In case this is not desired, you can set the following parameter to `true` to recreate the initial tenant database.
 sap_hana_install_recreate_tenant_database: false
 
-# For compatibility of SAP HANA with SELinux in enforcing mode, the role will recursively relabel directories and files
-# in `/hana` before the installation starts and in `/usr/sap` after the installation has finished.
-# If relabeling not desired, set the following variable to `false`.
-sap_hana_install_modify_selinux_labels: true
+# For compatibility of SAP HANA with SELinux in enforcing mode, the role will set the SELinux boolean 'selinuxuser_execmod' to 'on'.
+# It will also recursively relabel directories and files in `/hana` before the installation starts and in all other directories
+# specified in 'sap_hana_install_directories' after the installation has finished.
+# If this not desired, set the following variable to `false`.
+sap_hana_install_configure_selinux: true
 
 ################
 # Parameters for hdblcm:

roles/sap_hana_install/tasks/hana_install.yml

@@ -18,8 +18,6 @@
       - 'Once the task "Install SAP HANA" has started, you can use the following command'
       - 'in a terminal session on {{ inventory_hostname }} to watch the install progress in real time:'
       - "{{ __sap_hana_install_register_tmpdir.path }}/tail-f-hdblcm-install-trc.sh"
-      - 'Alternatively, you can run the following command on the control node:'
-      - "ssh {{ inventory_hostname }} {{ __sap_hana_install_register_tmpdir.path }}/tail-f-hdblcm-install-trc.sh"
 
 - name: SAP HANA - Install - Set fact for the hdblcm verify_signature argument
   ansible.builtin.set_fact:

roles/sap_hana_install/tasks/main.yml

@@ -1,62 +1,17 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 
-# Load variables while maintaining backwards compatibility when variable is empty string.
-# Check if variable is defined and non-empty before using it, otherwise fall back to backwards
-# compatible variable or default empty string that will fail asserts afterwards.
-# NOTE: This is not __var assignment so it will not override user specified vars due to precedence!
-- name: SAP HANA - Main - Set mandatory variables used by hdblcm configfile
-  ansible.builtin.set_fact:
-    sap_hana_install_sid:
-      "{{ sap_hana_sid | d('')
-        if sap_hana_install_sid | string | length == 0
-        else sap_hana_install_sid }}"
-    sap_hana_install_number:
-      "{{ sap_hana_instance_number | d(sap_hana_install_instance_nr) | d(sap_hana_install_instance_number) | d('')
-        if sap_hana_install_number | string | length == 0
-        else sap_hana_install_number }}"
-    sap_hana_install_system_usage: "{{ sap_hana_install_env_type | d(sap_hana_install_system_usage) | d('custom') }}"
-    sap_hana_install_restrict_max_mem: "{{ sap_hana_install_mem_restrict | d(sap_hana_install_restrict_max_mem) | d('n') }}"
-  tags:
-    - sap_hana_install_check_hana_exists
-    - sap_hana_install_check_installation
-    - sap_hana_install_preinstall
-    - sap_hana_install_set_log_mode
-    - sap_hana_install_configure_firewall
-
-# Separate task for password with no_log
-- name: SAP HANA - Main - Set mandatory variables used by hdblcm configfile - passwords
-  ansible.builtin.set_fact:
-    sap_hana_install_master_password:
-      "{{ sap_hana_install_common_master_password | d('')
-        if sap_hana_install_master_password is not defined or sap_hana_install_master_password | string | length == 0
-        else sap_hana_install_master_password }}"
-  no_log: true  # Required for password handling
-  tags:
-    - sap_hana_install_check_hana_exists
-    - sap_hana_install_check_installation
-    - sap_hana_install_preinstall
-    - sap_hana_install_set_log_mode
-    - sap_hana_install_configure_firewall
-
-- name: SAP HANA - Main - Validate the role variables
+# SAP HANA
+- name: SAP HANA - Main - Prepare some variables
   ansible.builtin.include_tasks:
-    file: pre_tasks/assert_variables.yml
+    file: pre_tasks/prepare_variables.yml
   tags:
     - sap_hana_install_check_hana_exists
     - sap_hana_install_check_installation
     - sap_hana_install_preinstall
     - sap_hana_install_set_log_mode
     - sap_hana_install_configure_firewall
 
-# SELinux is not currently supported by SAP using SLES4SAP
-# This can still be overwritten by extra variables.
-- name: SAP HANA Pre Install - Ensure SELinux does not execute for SLES
-  ansible.builtin.set_fact:
-    sap_hana_install_modify_selinux_labels: false
-  when: ansible_os_family == "Suse"
-
-
 # SAP HANA presence has to be validated for both new system and adding new hosts.
 - name: SAP HANA - Main - Validate presence of existing SAP HANA database
   ansible.builtin.include_tasks:
@@ -93,7 +48,6 @@
     - name: SAP HANA - Install - Pre-Tasks
       ansible.builtin.include_tasks:
         file: pre_install.yml
-      tags: sap_hana_install_preinstall
 
     - name: SAP HANA - Install
       ansible.builtin.include_tasks:
@@ -169,11 +123,11 @@
       {% if sap_hana_install_update_firewall %}
       Firewall is enabled and SAP HANA ports are open.
       {% endif %}
-      {% if sap_hana_install_modify_selinux_labels %}
-      SELinux file contexts are configured for SAP folders '{{ sap_hana_install_root_path }}' and '/usr/sap'.
+      {% if __sap_hana_install_configure_selinux %}
+      SELinux file contexts are configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}).
       {% endif %}
-      {% if ansible_os_family == "RedHat" and sap_hana_install_use_fapolicyd %}
-      Fapolicyd is configured for SAP folders '{{ sap_hana_install_root_path }}' and '/usr/sap'.
+      {% if ansible_os_family == "RedHat" and __sap_hana_install_configure_fapolicyd %}
+      Fapolicyd is configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}).
       {% endif %}
   vars:
     __sap_hana_install_fact_hana_version: "{{ __sap_hana_install_register_completion_result.stdout.split(';')[0] }}"

roles/sap_hana_install/tasks/post_addhosts.yml

@@ -25,13 +25,13 @@
 - name: SAP HANA - Addhosts - Post-Tasks - SELinux
   ansible.builtin.include_tasks:
     file: post_tasks/selinux.yml
-  when: sap_hana_install_modify_selinux_labels
+  when: __sap_hana_install_configure_selinux
 
 - name: SAP HANA - Addhosts - Post-Tasks - Fapolicyd
   ansible.builtin.include_tasks:
     file: post_tasks/fapolicyd.yml
   when:
     # Ensure fapolicyd is checked only on supported systems.
     - ansible_os_family == "RedHat"
-    - sap_hana_install_use_fapolicyd
-  tags: sap_hana_install_use_fapolicyd
+    - __sap_hana_install_configure_fapolicyd
+  tags: sap_hana_install_configure_fapolicyd

roles/sap_hana_install/tasks/post_install.yml

@@ -76,13 +76,13 @@
 - name: SAP HANA - Install - Post-Tasks - SELinux
   ansible.builtin.include_tasks:
     file: post_tasks/selinux.yml
-  when: sap_hana_install_modify_selinux_labels
+  when: __sap_hana_install_configure_selinux
 
 - name: SAP HANA - Install - Post-Tasks - Fapolicyd
   ansible.builtin.include_tasks:
     file: post_tasks/fapolicyd.yml
   when:
     # Ensure fapolicyd is checked only on supported systems.
     - ansible_os_family == "RedHat"
-    - sap_hana_install_use_fapolicyd
-  tags: sap_hana_install_use_fapolicyd
+    - __sap_hana_install_configure_fapolicyd
+  tags: sap_hana_install_configure_fapolicyd

roles/sap_hana_install/tasks/post_tasks/fapolicyd.yml

@@ -69,10 +69,10 @@
         msg: "{{ sap_hana_install_register_fagenrules_load.stdout_lines }}"
 
     # We want to add files which have the execute mode bit set AND which are reported as executables
-    # by fapolicyd-cli -t, one for each directory of sap_hana_install_fapolicyd_trusted_directories.
+    # by fapolicyd-cli -t, one for each directory of sap_hana_install_directories.
     # The fapolicy trust file name will be created from the directory names by replacing '/' by '_' and
     # omitting the first '_'.
-    - name: SAP HANA - Post-Tasks - Put all executable files from 'sap_hana_install_fapolicyd_trusted_directories' into fapolicyd trust files
+    - name: SAP HANA - Post-Tasks - Put all executable files from 'sap_hana_install_directories' into fapolicyd trust files
       ansible.builtin.shell: |
         set -o pipefail &&
         find {{ __sap_hana_install_item }} -type f -executable -exec fapolicyd-cli -t {} \; -print |
@@ -83,7 +83,7 @@
                 {{ __sap_hana_install_item | regex_replace('//*', '_') | regex_replace("^_", "") }}"); a=0; b=0
             }
           }'
-      loop: "{{ sap_hana_install_fapolicyd_trusted_directories }}"
+      loop: "{{ sap_hana_install_directories }}"
       loop_control:
         loop_var: __sap_hana_install_item
         label: >-
@@ -98,9 +98,11 @@
         name: fapolicyd
         enabled: true
         state: started
+      when: sap_hana_install_enable_fapolicyd
 
     - name: SAP HANA - Post-Tasks - Restart fapolicyd
       ansible.builtin.service:
         name: fapolicyd
         enabled: true
         state: restarted
+      when: sap_hana_install_enable_fapolicyd

roles/sap_hana_install/tasks/post_tasks/selinux.yml

@@ -1,16 +1,24 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 
-# This configuration includes also Pre-Tasks content to ensure they are all set same.
-- name: SAP HANA - Post-Tasks - Configure 'sap_hana_install_root_path' SELinux file contexts
+# We do not need to configure sap_hana_install_root_path here because that was already configured in Pre-Tasks.
+- name: SAP HANA - Post-Tasks - Define dict for selinux_fcontexts
+  ansible.builtin.set_fact:
+    __sap_hana_install_fcontexts_list: "{{ __sap_hana_install_fcontexts_list | d([]) + [__sap_hana_install_target_setype_dict] }}"
+  loop: "{{ sap_hana_install_directories | reject('equalto', sap_hana_install_root_path) }}"
+  loop_control:
+    loop_var: __sap_hana_install_directory_item
+  vars:
+    __sap_hana_install_target_setype_dict:
+      target: "{{ __sap_hana_install_directory_item }}(/.*)?"
+      setype: 'usr_t'
+
+- name: SAP HANA - Post-Tasks - Configure SELinux file contexts for the remaining directories
   ansible.builtin.include_role:
     name: '{{ sap_hana_install_system_roles_collection }}.selinux'
   vars:
     selinux_booleans:
       - { name: 'selinuxuser_execmod', state: 'on' }
-    selinux_fcontexts:
-      - { target: '{{ sap_hana_install_root_path }}(/.*)?', setype: 'usr_t' }
-      - { target: '/usr/sap(/.*)?', setype: 'usr_t' }
+    selinux_fcontexts: "{{ __sap_hana_install_fcontexts_list }}"
     selinux_restore_dirs:
-      - '{{ sap_hana_install_root_path }}'
-      - /usr/sap
+      - "{{ sap_hana_install_directories | reject('equalto', sap_hana_install_root_path) }}"

roles/sap_hana_install/tasks/pre_addhosts.yml

@@ -51,14 +51,14 @@
     # Ensure fapolicyd is checked only on supported systems.
     - ansible_os_family == "RedHat"
     - __sap_hana_install_fact_is_new_addhost_host
-  tags: sap_hana_install_use_fapolicyd
+  tags: sap_hana_install_configure_fapolicyd
 
 
 - name: SAP HANA - Addhosts - Pre-Tasks - Configure SELinux file contexts for {{ sap_hana_install_root_path }}
   ansible.builtin.include_tasks:
     file: pre_tasks/selinux.yml
   when:
-    - sap_hana_install_modify_selinux_labels
+    - __sap_hana_install_configure_selinux
     - __sap_hana_install_fact_is_new_addhost_host
 
 

roles/sap_hana_install/tasks/pre_install.yml

@@ -8,14 +8,14 @@
     # Ensure fapolicyd is checked only on supported systems.
     - ansible_os_family == "RedHat"
     - not __sap_hana_install_fact_is_installed
-  tags: sap_hana_install_use_fapolicyd
+  tags: sap_hana_install_configure_fapolicyd
 
 
 - name: SAP HANA - Install - Pre-Tasks - Configure SELinux file contexts for {{ sap_hana_install_root_path }}
   ansible.builtin.include_tasks:
     file: pre_tasks/selinux.yml
   when:
-    - sap_hana_install_modify_selinux_labels
+    - __sap_hana_install_configure_selinux
     - not __sap_hana_install_fact_is_installed