From 19894269dc01ed1d17c0e3b996d2dbeaf5d83e35 Mon Sep 17 00:00:00 2001 From: Fabricio Aguiar Date: Mon, 12 Jul 2021 18:17:13 -0300 Subject: [PATCH] Display SELinux errors https://pulp.plan.io/issues/9007 closes #9007 --- CHANGES/9007.misc | 1 + .../tasks/install_basic_packages.yml | 1 + roles/pulp_devel/tasks/main.yml | 28 +++++++++++++++++++ roles/pulp_devel/templates/alias.bashrc.j2 | 5 ++++ roles/pulp_devel/vars/CentOS-7.yml | 1 + roles/pulp_devel/vars/CentOS-8.yml | 1 + roles/pulp_devel/vars/Fedora-34.yml | 1 + roles/pulp_devel/vars/Fedora.yml | 1 + .../pre_tasks/selinux-workarounds.yml | 9 ++++++ 9 files changed, 48 insertions(+) create mode 100644 CHANGES/9007.misc diff --git a/CHANGES/9007.misc b/CHANGES/9007.misc new file mode 100644 index 000000000..2e61acc6f --- /dev/null +++ b/CHANGES/9007.misc @@ -0,0 +1 @@ +Display SELinux errors even on permissive mode diff --git a/roles/pulp_devel/tasks/install_basic_packages.yml b/roles/pulp_devel/tasks/install_basic_packages.yml index 1f2f9e59f..77e9051d9 100644 --- a/roles/pulp_devel/tasks/install_basic_packages.yml +++ b/roles/pulp_devel/tasks/install_basic_packages.yml @@ -15,6 +15,7 @@ - gnupg - rubygems - npm + - rsyslog state: present retries: "{{ pulp_devel_package_retries }}" register: result diff --git a/roles/pulp_devel/tasks/main.yml b/roles/pulp_devel/tasks/main.yml index d2baf8b52..4be27afbf 100644 --- a/roles/pulp_devel/tasks/main.yml +++ b/roles/pulp_devel/tasks/main.yml @@ -69,4 +69,32 @@ src: motd dest: /etc/motd become: true + +- name: Check SELinux logs + stat: + path: "/var/log/audit/audit.log" + register: selinuxlog + +- name: SELinux Analyze + shell: | + set -o pipefail + sealert --analyze=/var/log/audit/audit.log | grep "SELinux is preventing" + args: + # Debian defaults to bourne, but it doesn't understand pipefail. + executable: /bin/bash + changed_when: false + register: selinux_analyze + check_mode: false + become: true + when: + - selinuxlog.stat.exists + - ansible_facts.os_family == "RedHat" + +- name: SELinux status + debug: + var: selinux_analyze.stdout_lines + when: + - ansible_facts.os_family == "RedHat" + - selinuxlog.stat.exists + - selinux_analyze.stdout ... diff --git a/roles/pulp_devel/templates/alias.bashrc.j2 b/roles/pulp_devel/templates/alias.bashrc.j2 index 2ab4da120..e6b2beed4 100644 --- a/roles/pulp_devel/templates/alias.bashrc.j2 +++ b/roles/pulp_devel/templates/alias.bashrc.j2 @@ -149,6 +149,11 @@ pyclean () { } _pyclean_help="Cleanup extra python files" +pselinux () { + sealert --analyze=/var/log/audit/audit.log | grep "SELinux is preventing" +} +_pselinux_help="Display SELinux errors" + pbindings(){ CURRENT_DIR=$(pwd) lang="${2:-python}" diff --git a/roles/pulp_devel/vars/CentOS-7.yml b/roles/pulp_devel/vars/CentOS-7.yml index 974cfd1b4..ff6f29e1e 100644 --- a/roles/pulp_devel/vars/CentOS-7.yml +++ b/roles/pulp_devel/vars/CentOS-7.yml @@ -4,3 +4,4 @@ pulp_devel_distro_pkgs: - python-virtualenvwrapper - ruby-devel - jnettop + - setroubleshoot diff --git a/roles/pulp_devel/vars/CentOS-8.yml b/roles/pulp_devel/vars/CentOS-8.yml index 58831cc76..89a0e4635 100644 --- a/roles/pulp_devel/vars/CentOS-8.yml +++ b/roles/pulp_devel/vars/CentOS-8.yml @@ -8,3 +8,4 @@ pulp_devel_distro_pkgs: - python3-virtualenv-clone - vim-enhanced - ruby-devel + - setroubleshoot diff --git a/roles/pulp_devel/vars/Fedora-34.yml b/roles/pulp_devel/vars/Fedora-34.yml index 3eb96f261..5acc598bb 100644 --- a/roles/pulp_devel/vars/Fedora-34.yml +++ b/roles/pulp_devel/vars/Fedora-34.yml @@ -12,3 +12,4 @@ pulp_devel_distro_pkgs: - vim-enhanced - ruby-devel - crun + - setroubleshoot diff --git a/roles/pulp_devel/vars/Fedora.yml b/roles/pulp_devel/vars/Fedora.yml index 38f649bd6..599a4cb43 100644 --- a/roles/pulp_devel/vars/Fedora.yml +++ b/roles/pulp_devel/vars/Fedora.yml @@ -12,3 +12,4 @@ pulp_devel_distro_pkgs: - vim-enhanced - ruby-devel - jnettop + - setroubleshoot diff --git a/vagrant/playbooks/pre_tasks/selinux-workarounds.yml b/vagrant/playbooks/pre_tasks/selinux-workarounds.yml index 762749a49..c1b8ff0f8 100644 --- a/vagrant/playbooks/pre_tasks/selinux-workarounds.yml +++ b/vagrant/playbooks/pre_tasks/selinux-workarounds.yml @@ -15,6 +15,15 @@ - ansible_facts.os_family == 'RedHat' - ansible_facts.distribution_major_version | int != 7 +- name: Install loggers + yum: + name: + - rsyslog + - setroubleshoot + become: true + when: + - ansible_facts.os_family == 'RedHat' + # e.g. `ausearch -m AVC,USER_AVC` to see all SELinux errors, # rather than having Pulp fail on the 1st SELinux error. - name: Set SELinux to permissive to facilitate debugging