Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support configuring SELinux and default to enforcing #236

Merged
merged 2 commits into from Oct 17, 2019
Merged

Support configuring SELinux and default to enforcing #236

merged 2 commits into from Oct 17, 2019

Conversation

jaredledvina
Copy link
Contributor

Closes #154

I think this might do the right thing, will checkout the build though. I chose to default to enforcing as I don't want the defaults here to actually walk back the configuration that RHEL and friends ship with.

Signed-off-by: Jared Ledvina jared@techsmix.net

@jaredledvina
Support configuring SELinux and default to enforcing
5f3a913 
Signed-off-by: Jared Ledvina <jared@techsmix.net>
@rndmh3ro
Copy link
Member

rndmh3ro commented Oct 7, 2019

Hey @jaredledvina,

this looks good and straight forward! I'd like to do some tests on all supported operating systems before merging, to see what happens on them.

@jaredledvina
Copy link
Contributor Author

Sweet, thanks @rndmh3ro!

I don't have a system currently configured w/ SELinux working but, if you'd like, I can try to make a temp DigitalOcean VM or something to make sure this works. My only concern would be that I don't know if we can ever test SELinux things like this via TravisCI unless they have a CentOS/Fedora base OS setup I'm unaware of.

@rndmh3ro
Copy link
Member

I don't have a system currently configured w/ SELinux working but, if you'd like, I can try to make a temp DigitalOcean VM or something to make sure this works

I'll just test it with the vagrant-vms - that should be enough. Of course you can test the changes, too, if you want!

My only concern would be that I don't know if we can ever test SELinux things like this via TravisCI unless they have a CentOS/Fedora base OS setup I'm unaware of.

Travis does not support this. Selinux testing is kind of a pain, however doing it locally and manually with vagrant usally works.

@rndmh3ro
Copy link
Member

I just tested it on CentOS 8 ans Ansible 2.8.5 and wondered why the import-task was being skipped. For me importing only worked like this:

- import_tasks: selinux.yml
  tags: selinux
  when:
    - ansible_facts.selinux is defined
    - ansible_facts.selinux

Can you recheck on your side?

@jaredledvina
Correct ansible_facts
9298965 
Signed-off-by: Jared Ledvina <jared@techsmix.net>
@jaredledvina
Copy link
Contributor Author

jaredledvina commented Oct 13, 2019
edited

Sorry about that!

Okay so, reading through https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/selinux.py, it looks like I can do a when on the selinux.status fact being enabled such that we only include this play if the host 1) has the selinux python lib & 2) has actually enabled SELinux on the host.

@rndmh3ro
Copy link
Member

Finally came around to testing it and works great. Thank you @jaredledvina!

@rndmh3ro rndmh3ro merged commit 804538e into dev-sec:master Oct 17, 2019
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#236 from jaredledvina/feature/allow-config…
b216680 
…uring-selinux-status

Support configuring SELinux and default to enforcing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add selinux configuration
2 participants
@jaredledvina @rndmh3ro