From 0eca62f4ce29c4b986b24b4d5e0bc7980cdc6784 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Feb 2023 16:20:44 +0100 Subject: Add AppArmor profile Simple profile to allow for management of local profile drop-ins using pillar values. Signed-off-by: Georg Pfuetzenreuter --- salt/profile/apparmor/local.sls | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 salt/profile/apparmor/local.sls diff --git a/salt/profile/apparmor/local.sls b/salt/profile/apparmor/local.sls new file mode 100644 index 0000000..6dbdff3 --- /dev/null +++ b/salt/profile/apparmor/local.sls @@ -0,0 +1,9 @@ +{%- set aapillar = salt['pillar.get']('profile:apparmor') %} + +{%- if 'local' in aapillar %} +{%- for profile, lines in aapillar['local'].items() %} +/etc/apparmor.d/local/{{ profile }}: + file.managed: + - contents: {{ lines }} +{%- endfor %} +{%- endif %} -- cgit v1.2.3 From 7e73f6b1a4524c39a4020a7e4a682341e50c6a7b Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Feb 2023 16:21:23 +0100 Subject: web-proxy: include apparmor.local Some web proxy servers need additional AppArmor drop-ins, for example for serving static content. Signed-off-by: Georg Pfuetzenreuter --- salt/role/web-proxy.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/role/web-proxy.sls b/salt/role/web-proxy.sls index 81f2293..649c69e 100644 --- a/salt/role/web-proxy.sls +++ b/salt/role/web-proxy.sls @@ -1,5 +1,6 @@ include: - nginx.pkg + - profile.apparmor.local - nginx.config - nginx.snippets - nginx.servers -- cgit v1.2.3 From 2d5da24ce5d695b3f934ec06c654f7ae754b3fbf Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Feb 2023 16:28:19 +0100 Subject: denc-webcluster: nginx AppArmor rules Allow access to client trust certificate and to static content. Signed-off-by: Georg Pfuetzenreuter --- pillar/cluster/denc/web-proxy.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls index 7b5cebd..7748768 100644 --- a/pillar/cluster/denc/web-proxy.sls +++ b/pillar/cluster/denc/web-proxy.sls @@ -209,3 +209,10 @@ firewalld: services: - http - https + +profile: + apparmor: + local: + usr.sbin.nginx: + - '{{ trustcrt }} r,' + - '/srv/www/{libsso.net,sso.casa,sso.syscid.com}/{index.html,stuff/tacit-css-1.5.2.min.css} r,' -- cgit v1.2.3