Skip to content
This repository has been archived by the owner on Dec 26, 2020. It is now read-only.

Changes in selinux section to avoid confusion and some inconsistencies #127

Closed
martinbydefault opened this issue Aug 9, 2017 · 2 comments
Closed

Changes in selinux section to avoid confusion and some inconsistencies #127

martinbydefault opened this issue Aug 9, 2017 · 2 comments
Labels
enhancement help wanted

Comments

@martinbydefault
Copy link
Contributor

It would be great to made some small changes in the selinux section of this role to avoid confusion, as discussed in this PR: #102
The two changes I think should be made are:

Besides from that, I found two inconsistencies between what the comment says and the actual code:

  1. first one here: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/main.yml#L86
    It says that "only runs when selinux is in state enforcing", but the conditional is sestatus.stdout != 'Disabled', so the task could also be executed when selinux is in Permissive mode.
    Does the task can be also executed in Permissive mode or is this an error?

  2. and the second one: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/main.yml#L106
    It says the same from above: "only runs when selinux is in state enforcing" but there isn't any conditional related to selinux in the when: at the end, is this an error?
@rndmh3ro
Copy link
Member

rndmh3ro commented Oct 1, 2017

change the title of this task (https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/main.yml#L57) to test to see if selinux is installed and running

good idea!

replace this comment: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/main.yml#L64
with # only runs when selinux is installed

Yes, also a good idea.

first one here: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/main.yml#L86
It says that "only runs when selinux is in state enforcing", but the conditional is sestatus.stdout != 'Disabled', so the task could also be executed when selinux is in Permissive mode.
Does the task can be also executed in Permissive mode or is this an error?

This task also gets executed in Permissive Mode, so the comment is wrong and should be fixed.

and the second one: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/main.yml#L106
It says the same from above: "only runs when selinux is in state enforcing" but there isn't any conditional related to selinux in the when: at the end, is this an error?

Here, the policy should be removed when PAM is used (when: ssh_use_pam). The task should only run when selinux is installed (that's why it is in the block). So I guess the comment should read:
# The following tasks only get executed when selinux is installed, UsePam is "yes" and the ssh_password module is installed.

Do you agree with me on this? Do you want to create a PR to fix this?

This whole managing of selinux is kind of a PITA.

@martinbydefault martinbydefault mentioned this issue Oct 3, 2017
Merged
@martinbydefault
Copy link
Contributor Author

I agree with all of that, check the PR #131

@rndmh3ro rndmh3ro closed this as completed Oct 3, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rndmh3ro @martinbydefault