Use the firewall role and the selinux role from the cockpit role

- Introduce cockpit_manage_firewall to use the firewall role to
  manage the cockpit service.
  Default to false - means the firewall role is not used.

- Introduce cockpit_manage_selinux to use the selinux role to
  manage the ports in the cockpit service.
  Assign websm_port_t to the cockpit service ports.
  Default to false - means the selinux role is not used.

- Add the test check task tasks/check_firewall_selinux.yml for
  verify the ports status.

- Add meta/collection-requirements.yml.

README.md

@@ -8,6 +8,21 @@ Installs and configures the Cockpit Web Console for distributions that support i
   - RHEL/CentOS 7.x depend on the Extras repository being enabled.
   - Recommended to use [`linux-system-roles.firewall`](https://github.com/linux-system-roles/firewall/) to make the Web Console available remotely.
 
+  - The role requires the `firewall` role and the `selinux` role from the
+    `fedora.linux_system_roles` collection, if `cockpit_manage_firewall`
+    and `cockpit_manage_selinux` is set to true, respectively.
+    (Please see also `cockpit_manage_firewall` and `cockpit_manage_selinux`
+     in [`Role Variables`](#role-variables).
+
+    If the `cockpit` is a role from the `fedora.linux_system_roles`
+    collection or from the Fedora RPM package, the requirement is already
+    satisfied.
+
+    Otherwise, please run the following command line to install the collection.
+    ```
+    ansible-galaxy collection install -r meta/collection-requirements.yml
+    ```
+
 ## Role Variables
 
 Available variables per distribution are listed below, along with default values (see `defaults/main.yml`):
@@ -81,17 +96,35 @@ Configure settings in the /etc/cockpit/cockpit.conf file.  See [`man cockpit.con
     cockpit_port: 9090
 Cockpit runs on port 9090 by default. You can change the port with this option.
 
-Note that the default SELinux policy does not allow Cockpit to listen to anything else than port 9090, so you need to allow that first, with e.g.
+    cockpit_manage_firewall: false
+Boolean flag allowing to configure firewall using the firewall role.
+Manage the cockpit firewall service.
+If the variable is set to `false`, the `cockpit role` does not manage the firewall.
+Default to `false`.
+
+NOTE: `cockpit_manage_firewall` is limited to *adding* ports.
+It cannot be used for *removing* ports.
+If you want to remove ports, you will need to use the firewall system
+role directly.
 
-    semanage port -m -t websm_port_t -p tcp 443
+NOTE: This functionality is supported only when the managed host's `os_family`
+is `RedHat`.
 
-for ports that are already defined in the SELinux policy, such as 443, or
+    cockpit_manage_selinux: false
+Boolean flag allowing to configure selinux using the selinux role.
+Assign `websm_port_t` to the port.
+If the variable is set to false, the `cockpit role` does not manage the
+selinux
 
-    semanage port -a -t websm_port_t -p tcp 9999
+NOTE: `cockpit_manage_selinux` is limited to *adding* policy.
+It cannot be used for *removing* policy.
+If you want to remove policy, you will need to use the selinux system
+role directly.
 
-otherwise.
+NOTE: This functionality is supported only when the managed host's `os_family`
+is `RedHat`.
 
-See the [Cockpit guide](https://cockpit-project.org/guide/latest/listen.html#listen-systemd) for details.
+See also the [Cockpit guide](https://cockpit-project.org/guide/latest/listen.html#listen-systemd) for details.
 
 ## Certificate setup
 

defaults/main.yml

@@ -14,3 +14,9 @@ __cockpit_daemon: cockpit.socket
 # __cockpit_packages_default    set in vars/*
 # __cockpit_packages_full       set in vars/*
 # __cockpit_packages_minimal    set in vars/*
+
+# If true, manage the cockpit ports using the firewall role.
+cockpit_manage_firewall: false
+
+# If true, manage the cockpit ports using the selinux role.
+cockpit_manage_selinux: false

meta/collection-requirements.yml

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: MIT
+collections:
+  - fedora.linux_system_roles

tasks/firewall.yml

@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Ensure the cockpit service is enabled
+  include_role:
+    name: fedora.linux_system_roles.firewall
+  vars:
+    _cockpit_port: "{{ cockpit_port if cockpit_port is defined else 9090 }}"
+    _cockpit_port_proto: "{{ _cockpit_port }}/tcp"
+    firewall: "{{ [{'service': 'cockpit', 'state': 'enabled'}]
+                  if (_cockpit_port | int) == 9090 else
+                  [{'port': _cockpit_port_proto, 'state': 'enabled'}] }}"
+  when:
+    - cockpit_manage_firewall | bool
+    - ansible_facts['os_family'] == 'RedHat'

tasks/main.yml

@@ -56,6 +56,12 @@
     - reload systemd
     - restart cockpit
 
+- name: Configure firewall
+  include_tasks: firewall.yml
+
+- name: Configure selinux
+  include_tasks: selinux.yml
+
 - name: Ensure Cockpit Web Console is started/stopped and enabled/disabled
   service:
     name: "{{ __cockpit_daemon }}"

tasks/selinux.yml

@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Ensure the service and the ports status with the selinux role
+  include_role:
+    name: fedora.linux_system_roles.selinux
+  vars:
+    _cockpit_port: "{{ cockpit_port if cockpit_port is defined else 9090 }}"
+    selinux_ports: "{{ [{'ports': _cockpit_port, 'proto': 'tcp',
+                         'setype': 'websm_port_t',
+                         'state': 'present', 'local': 'true'}] }}"
+  when:
+    - cockpit_manage_selinux | bool
+    - ansible_facts['os_family'] == 'RedHat'

tests/tasks/check_firewall_selinux.yml

@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: MIT
+---
+- block:
+    - block:
+        - name: Check firewall port status when cockpit_manage_firewall is true
+          command: firewall-cmd --list-service
+          register: _result
+          failed_when: "'cockpit' not in _result.stdout"
+          changed_when: false
+          when:
+            - _cockpit_port | int == 9090
+
+        - name: Check firewall port status when cockpit_manage_firewall is true
+          command: firewall-cmd --list-port
+          register: _result
+          failed_when: "'{{ _cockpit_port }}/tcp' not in _result.stdout"
+          changed_when: false
+          when:
+            - _cockpit_port | int != 9090
+      when:
+        - cockpit_manage_firewall | bool
+
+    - name: Check associated selinux ports when cockpit_manage_selinux is true
+      shell: |-
+        set -euo pipefail
+        semanage port --list -C | egrep "websm_port_t *tcp" | \
+          grep "{{ _cockpit_port }}"
+      changed_when: false
+      when: cockpit_manage_selinux | bool
+  vars:
+    _cockpit_port: "{{ cockpit_port if cockpit_port is defined else 9090 }}"
+  when:
+    - ansible_facts['os_family'] == 'RedHat'

tests/tests_certificate.yml

@@ -23,7 +23,12 @@
   vars:
     cockpit_packages: minimal
   roles:
-    - linux-system-roles.cockpit
+    - role: linux-system-roles.cockpit
+      public: true
+
+  tasks:
+    - name: test - ensure cockpit_port is configured for firewall and selinux
+      include_tasks: tasks/check_firewall_selinux.yml
 
 - name: Generate self-signed certmonger certificate
   hosts: all

tests/tests_certificate_existing.yml

@@ -3,6 +3,7 @@
   hosts: all
   roles:
     - role: linux-system-roles.cockpit
+      public: true
       vars:
         cockpit_packages: minimal
         cockpit_cert: /etc/myserver.crt
@@ -32,6 +33,9 @@
             warn: false
           changed_when: false
 
+        - name: test - ensure cockpit_port is configured for firewall and selinux
+          include_tasks: tasks/check_firewall_selinux.yml
+
       always:
         - name: cleanup - test certificate cert
           file:

tests/tests_certificate_runafter.yml

@@ -23,6 +23,7 @@
         cockpit_packages: minimal
       include_role:
         name: linux-system-roles.cockpit
+        public: true
 
     # self-signed is broken (https://github.com/linux-system-roles/certificate/issues/98),
     # and has too restrictive keyUsage so that using the certificate as CA is not allowed
@@ -84,6 +85,9 @@
           assert:
             that: "'status: MONITORING' in result.stdout"
 
+        - name: test - ensure cockpit_port is configured for firewall and selinux
+          include_tasks: tasks/check_firewall_selinux.yml
+
         - name: test - clean up tracked certificate
           command: >
             getcert stop-tracking -f

tests/tests_config.yml

@@ -12,6 +12,9 @@
             LoginTitle: "hello world"
           Session:
             IdleTimeout: 60
+        cockpit_manage_firewall: false
+        cockpit_manage_selinux: true
+      public: true
 
   tasks:
     - name: tests
@@ -58,5 +61,8 @@
           command: diff -u /run/cockpit.conf.expected /etc/cockpit/cockpit.conf
           changed_when: false
 
+        - name: test - ensure cockpit_port is configured for firewall and selinux
+          include_tasks: tasks/check_firewall_selinux.yml
+
       always:
         - include_tasks: tasks/cleanup.yml

tests/tests_default.yml

@@ -3,7 +3,8 @@
   hosts: all
   gather_facts: false
   roles:
-    - linux-system-roles.cockpit
+    - role: linux-system-roles.cockpit
+      public: true
 
   tasks:
     - name: tests
@@ -42,5 +43,8 @@
           register: result
           failed_when: result.stat.exists
 
+        - name: test - ensure cockpit_port is configured for firewall and selinux
+          include_tasks: tasks/check_firewall_selinux.yml
+
       always:
         - include_tasks: tasks/cleanup.yml

tests/tests_packages_full.yml

@@ -6,8 +6,11 @@
       block:
         - include_role:
             name: linux-system-roles.cockpit
+            public: true
           vars:
             cockpit_packages: full
+            cockpit_manage_firewall: true
+            cockpit_manage_selinux: false
 
         - meta: flush_handlers
 
@@ -37,5 +40,8 @@
             msg: cockpit-doc is not installed
           when: "'cockpit-doc' not in ansible_facts.packages"
 
+        - name: test - ensure cockpit_port is configured for firewall and selinux
+          include_tasks: tasks/check_firewall_selinux.yml
+
       always:
         - include_tasks: tasks/cleanup.yml

tests/tests_port.yml

@@ -38,7 +38,10 @@
         - name: Run cockpit role
           include_role:
             name: linux-system-roles.cockpit
+            public: true
           vars:
+            cockpit_manage_firewall: true
+            cockpit_manage_selinux: true
             cockpit_packages: minimal
             cockpit_port: 443
 
@@ -61,6 +64,9 @@
           register: result
           failed_when: result is succeeded
 
+        - name: test - ensure cockpit_port is configured for firewall and selinux
+          include_tasks: tasks/check_firewall_selinux.yml
+
         - name: test - clean up output file
           file:
             path: /run/out