Use the firewall role and the selinux role to manage the ports; use the certificate role to generate certificates.

README.md

@@ -36,7 +36,15 @@ To satisfy such requirements, logging role introduced 3 primary variables `loggi
 
 ## Requirements
 
-This role is supported on RHEL/CentOS-7, RHEL/CentOS-8 and Fedora distributions.
+This role is supported on CentOS-7, CentOS-8-Stream+ and Fedora distributions
+as well as on RHEL-7+.
+
+The role requires the following collections:
+* `fedora.linux_system_roles`
+Use this to install the collections:
+```
+ansible-galaxy collection install -vv -r meta/collection-requirements.yml
+```
 
 ## Definitions
 
@@ -422,6 +430,65 @@ These variables are set in the same level of the `logging_inputs`, `logging_outp
   will be uninstalled and reinstalled in order to revert back to the original
   system default configuration.
 - `logging_system_log_dir`: Directory where the local log output files are placed. Default to `/var/log`.
+- `logging_firewall`: This is a `list` of `dict` in the same format as used by the
+  `fedora.linux_system_role.firewall` role.  Use this to specify ports that you
+  want the role to manage in the firewall.
+```yaml
+    # Manage ports 514/tcp, 514/udp, 20514/tcp, and 20514/udp
+    logging_firewall:
+      - port: 514/tcp
+        state: enabled
+      - port: 514/udp
+        state: enabled
+      - port: 20514/tcp
+        state: enabled
+      - port: 20514/udp
+        state: enabled
+```
+```yaml
+    # Stop managing ports 514/tcp, 514/udp, 20514/tcp, and 20514/udp
+    logging_firewall:
+      - port: 514/tcp
+        state: disabled
+      - port: 514/udp
+        state: disabled
+      - port: 20514/tcp
+        state: disabled
+      - port: 20514/udp
+        state: disabled
+```
+- `logging_selinux_ports`: This is a `list` of `dict` in the same format as used
+  by the `fedora.linux_system_roles.selinux` role.  Use this if you want the role
+  to manage the SELinux policy for ports used by the role. Note: To stop managing
+  the port, we recommend to add `local: true` to the parameter. It will prevent
+  the failure in the deletion if the port is in the selinux policy.
+```yaml
+    # Manage port 1514
+    logging_selinux_ports:
+      - ports: 1514
+        proto: tcp
+        setype: syslog_tls_port_t
+        state: present
+```
+```yaml
+    # Stop managing port 1514
+    logging_selinux_ports:
+      - ports: 1514
+        proto: tcp
+        setype: syslog_tls_port_t
+        state: absent
+        local: true
+```
+- `logging_certificates`: This is a `list` of `dict` in the same format as used
+  by the `fedora.linux_system_roles.certificate` role.  Use this if you want the role
+  to generate the certificates used by the role. With this following example, self-
+  signed certificate logging_cert.crt is generated and located in /etc/pki/tls/certs.
+```yaml
+    logging_certificates:
+      - name: logging_cert
+        dns: ['localhost', 'www.example.com']
+        ca: self-sign
+```
 
 ### Update and Delete
 
@@ -645,6 +712,11 @@ Deploying `basics input` reading logs from systemd journal and `forwards output`
   roles:
     - linux-system-roles.logging
   vars:
+    logging_firewall:
+      - port: 514/udp
+        state: enabled
+      - port: 514/tcp
+        state: enabled
     logging_inputs:
       - name: basic_input
         type: basics
@@ -706,6 +778,15 @@ Deploying `remote input` reading logs from remote rsyslog and `remote_files outp
   roles:
     - linux-system-roles.logging
   vars:
+    logging_firewall:
+      - port: 514/udp
+        state: enabled
+      - port: 1514/udp
+        state: enabled
+      - port: 514/tcp
+        state: enabled
+      - port: 1514/tcp
+        state: enabled
     logging_inputs:
       - name: remote_udp_input
         type: remote
@@ -731,6 +812,11 @@ Deploying `remote input` reading logs from remote rsyslog and `remote_files outp
   roles:
     - linux-system-roles.logging
   vars:
+    logging_firewall:
+      - port: 6514/tcp
+        state: enabled
+      - port: 7514/tcp
+        state: enabled
     logging_pki_files:
       - ca_cert_src: /local/path/to/ca_cert
         cert_src: /local/path/to/cert
@@ -767,6 +853,9 @@ Deploying `basics input` reading logs from systemd journal and `relp output` to
   roles:
     - linux-system-roles.logging
   vars:
+    logging_firewall:
+      - port: 20514/tcp
+        state: enabled
     logging_inputs:
       - name: basic_input
         type: basics
@@ -799,6 +888,9 @@ Deploying `relp input` reading logs from remote rsyslog and `remote_files output
   roles:
     - linux-system-roles.logging
   vars:
+    logging_firewall:
+      - port: 20514/tcp
+        state: enabled
     logging_inputs:
       - name: relp_server
         type: relp
@@ -825,11 +917,24 @@ Deploying `relp input` reading logs from remote rsyslog and `remote_files output
 SELinux is only configured to allow sending and receiving on the following ports by default:
 
 ```
-syslogd_port_t        tcp   514, 20514
-syslogd_port_t        udp   514, 20514
+syslog_tls_port_t     tcp   6514, 10514
+syslog_tls_port_t     udp   6514, 10514
+syslogd_port_t        tcp   601, 20514
+syslogd_port_t        udp   514, 601, 20514
 ```
 
-If other ports need to be configured, you can use [linux-system-roles/selinux](https://github.com/linux-system-roles/selinux) to manage SELinux contexts.
+If other ports need to be configured, it can be done by setting `logging_selinux_ports` as follows:
+```yaml
+    logging_selinux_ports:
+      - ports: 1514
+        proto: tcp
+        setype: syslogd_port_t
+        status: present
+      - ports: 11514
+        proto: tcp
+        setype: syslog_tls_port_t
+        status: present
+```
 
 ## Providers
 

defaults/main.yml

@@ -90,6 +90,34 @@ logging_files_template_format: ""
 # Allowed values: "traditional", "syslog",  or "modern"; default to "modern"
 logging_forwards_template_format: ""
 
+# If you want the role to manage the firewall on the ports you are
+# using, specify the arguments to pass to the firewall system role.
+# For example, if you want the logging role to open tcp port 514
+# in the default zone:
+# logging_firewall:
+#   - port: 514/tcp
+# to open a range of ports:
+# logging_firewall:
+#   - port: 10514-10524/tcp
+logging_firewall: []
+
+# If you want the role to manage the selinux on the ports you are
+# using, specify the arguments to pass to the selinux system role.
+# For example, if you want the logging role to open tcp port 514:
+# logging_selinux_ports:
+#   - ports: 514/tcp
+#     setype: syslogd_port_t
+logging_selinux_ports: []
+
+# If you want the role to generate the certificates in the logging
+# configuration, specify the arguments to pass to the certificate
+# system role. Here's an example.
+# logging_certificates:
+#   - name: logging_cert
+#     dns: ['localhost', 'www.example.com']
+#     ca: self-sign
+logging_certificates: []
+
 # ansible_facts required by the role
 __logging_required_facts:
   - distribution

meta/collection-requirements.yml

@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: MIT
+collections:
+  - fedora.linux_system_roles

roles/rsyslog/tasks/main_core.yml

@@ -292,6 +292,30 @@
       when: __rsyslog_enabled | bool
       notify: restart rsyslogd
 
+    # firewall role
+    - name: Manage firewall for specified ports
+      include_role:
+        name: fedora.linux_system_roles.firewall
+      vars:
+        firewall: "{{ logging_firewall }}"
+      when: logging_firewall | length > 0
+
+    # selinux role
+    - name: Manage selinux for specified ports
+      include_role:
+        name: fedora.linux_system_roles.selinux
+      vars:
+        selinux_ports: "{{ logging_selinux_ports }}"
+      when: logging_selinux_ports | length > 0
+
+    # certificates
+    - name: Generate certificates
+      include_role:
+        name: fedora.linux_system_roles.certificate
+      vars:
+        certificate_requests: "{{ logging_certificates }}"
+      when: logging_certificates | length > 0
+
     - block:
         # Check if tls is enabled in forwards output or remote input and
         #          logging_pki_files.{ca_cert_src,ca_cert} is defined

tests/tests_basics_files.yml

@@ -219,6 +219,20 @@
       from imjournal input to two omfile and two omfwd outputs"
       vars:
         logging_purge_confs: true
+        logging_firewall:
+          - port: 1514/tcp
+            state: enabled
+          - port: 20514/tcp
+            state: enabled
+        logging_selinux_ports:
+          - ports: 1514
+            proto: tcp
+            setype: syslogd_port_t
+            state: present
+          - ports: 20514
+            proto: tcp
+            setype: syslogd_port_t
+            state: present
         logging_outputs:
           - name: files_output0
             type: files
@@ -243,7 +257,7 @@
             type: forwards
             facility: local2
             target: host.domain
-            tcp_port: 2514
+            tcp_port: 20514
         logging_inputs:
           - name: basic_input0
             type: basics
@@ -308,17 +322,86 @@
           }
         mode: '0600'
 
-
     - name: Check severity_and_facility
       command: diff -B /tmp/__testfile__ '{{ __test_forwards_conf }}'
       changed_when: false
 
+    - name: Check ports specified in logging_firewall
+      shell: |-
+        set -euo pipefail
+        firewall-cmd --query-port=1514/tcp
+      register: __result
+      changed_when: false
+      failed_when: __result.stdout != "yes"
+
+    - block:
+        - name: Install SELinux tool semanage
+          package:
+            name:
+              - policycoreutils-python-utils
+            state: present
+
+        - name: Check ports specified in logging_selinux_ports
+          shell: |-
+            set -euo pipefail
+            semanage port --list | grep syslogd_port_t | grep "\<1514\>"
+          register: __result
+          changed_when: false
+          failed_when: __result.rc != 0
+      when: ansible_distribution == "Fedora" or
+            ( ansible_distribution_major_version | int > 7 and
+            ansible_distribution in ["CentOS", "RedHat", "Rocky"] )
+
     - name: END TEST CASE 3; Clean up the deployed config
       vars:
         logging_purge_confs: true
+        logging_firewall:
+          - port: 1514/tcp
+            state: disabled
+          - port: 20514/tcp
+            state: disabled
+        logging_selinux_ports:
+          - ports: 1514
+            proto: tcp
+            setype: syslogd_port_t
+            state: absent
+            local: true
+          - ports: 20514
+            proto: tcp
+            setype: syslogd_port_t
+            state: absent
+            local: true
       include_role:
         name: linux-system-roles.logging
 
+    - name: Check ports specified in logging_firewall is cleaned up
+      shell: |-
+        set -euo pipefail
+        firewall-cmd --query-port=1514/tcp
+      register: __result
+      changed_when: false
+      failed_when: __result.stdout == "yes"
+
+    - block:
+        - name: Check selinux default port is not cleaned up
+          shell: |-
+            set -euo pipefail
+            semanage port --list | grep syslogd_port_t | grep "\<20514\>"
+          register: __result
+          changed_when: false
+          failed_when: __result.rc != 0
+
+        - name: Check non-default port is cleaned up
+          shell: |-
+            set -euo pipefail
+            semanage port --list | grep syslogd_port_t | grep "\<1514\>" || :
+          register: __result
+          changed_when: false
+          failed_when: __result.stdout != ""
+      when: ansible_distribution == "Fedora" or
+            ( ansible_distribution_major_version | int > 7 and
+            ansible_distribution in ["CentOS", "RedHat", "Rocky"] )
+
     - name: Cleaning up __testfile__
       file:
         path: /tmp/__testfile__