Skip to content

Conversation

@MahdiAbbasi95
Copy link

Hello,

I have fixed the bug related to issue number #537.
Fixed #537

Kind regards
Mahdi Abbasi

@MahdiAbbasi95
Copy link
Author

@rndmh3ro
Some pipes failed and It seems there is an issue in importing the required library for SELinux in python in the GitHub workflow. Do you have access to check it, please?

@rndmh3ro
Copy link
Member

The tasks all run in molecule, so you can test it locally.
Just install molecule, then run the following command to test the role with rocky linux 8:

export MOLECULE_DISTRO=rocky8; molecule -v test -s os_hardening

The tests probably fail becase the condition when: "'libselinux' in ansible_facts.packages" is not enough to accurately determine if selinux is installed. You'll probably have to adjust your code here.

MahdiAbbasi95 and others added 4 commits December 24, 2022 20:25
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 1 to 4.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@v1...v4)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mahdi Abbasi <[email protected]>
Signed-off-by: Mahdi Abbasi <[email protected]>
@MahdiAbbasi95
Copy link
Author

The tasks all run in molecule, so you can test it locally. Just install molecule, then run the following command to test the role with rocky linux 8:

export MOLECULE_DISTRO=rocky8; molecule -v test -s os_hardening

The tests probably fail becase the condition when: "'libselinux' in ansible_facts.packages" is not enough to accurately determine if selinux is installed. You'll probably have to adjust your code here.

Thanks
You're right. the condition wasn't sufficient. I've fixed it. Please re-run the tasks.

@MahdiAbbasi95
Copy link
Author

package_fact doesn't support Opensuse package manager(zypper) for checking installed packages, I don't have a standard solution for handling it. Do you have any solutions for it?
Or can we ignore it for this particular distro?

@rndmh3ro

@rndmh3ro
Copy link
Member

package_fact doesn't support Opensuse package manager(zypper) for checking installed packages, I don't have a standard solution for handling it. Do you have any solutions for it?

Suse used rpm under the hood, so you need to install then rpm python-library python310-rpm. Then you can use package_facts.

@MahdiAbbasi95
Copy link
Author

package_fact doesn't support Opensuse package manager(zypper) for checking installed packages, I don't have a standard solution for handling it. Do you have any solutions for it?

Suse used rpm under the hood, so you need to install then rpm python-library python310-rpm. Then you can use package_facts.

Thanks,
I've fixed it.

@rndmh3ro
Copy link
Member

I thought about this whole problem some more.
Basically we have several different use-cases with selinux we need to be aware of and handle:

  • selinux is installed, but should not enforce: this works with os_selinux_enabled: true and os_selinux_policy: enforcing
  • selinux is installed, but should not be activated: this works with os_selinux_enabled: true and os_selinux_state: disabled
  • selinux isn't installed at all, but should be and be enforcing
    • we don't handle this right now because we don't install selinux
    • even worse, if a user sets os_selinux_enabled: true, they expect that selinux will be installed and enforced, however this won't happen at all
  • selinux isn't installed at all, and should not be enforcing: this works with os_selinux_enabled: false

So we probably need to implement the use case selinux isn't installed at all, but should be and be enforcing. @MahdiAbbasi95 are you up to this? :)

@MahdiAbbasi95
Copy link
Author

I thought about this whole problem some more. Basically we have several different use-cases with selinux we need to be aware of and handle:

  • selinux is installed, but should not enforce: this works with os_selinux_enabled: true and os_selinux_policy: enforcing

  • selinux is installed, but should not be activated: this works with os_selinux_enabled: true and os_selinux_state: disabled

  • selinux isn't installed at all, but should be and be enforcing

    • we don't handle this right now because we don't install selinux
    • even worse, if a user sets os_selinux_enabled: true, they expect that selinux will be installed and enforced, however this won't happen at all
  • selinux isn't installed at all, and should not be enforcing: this works with os_selinux_enabled: false

So we probably need to implement the use case selinux isn't installed at all, but should be and be enforcing. @MahdiAbbasi95 are you up to this? :)

Ok, I will implement it.

@MahdiAbbasi95
Copy link
Author

@rndmh3ro
When I want to test locally using molecule with your images, I get this error for some images such as centosstream9, rocky9, Debian and etc. I have set the remote_tmp to "/tmp", but it didn't work. I checked everything including permissions and everything seems ok, is there any special thing that we should do for testing your project locally?

fatal: [instance]: UNREACHABLE! => {"changed": false, "msg": "Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo /tmp `\"&& mkdir \"` echo /tmp/ansible-tmp-1675414554.0695782-88546-238456467597761 `\" && echo ansible-tmp-1675414554.0695782-88546-238456467597761=\"` echo /tmp/ansible-tmp-1675414554.0695782-88546-238456467597761 `\" ), exited with result 1", "unreachable": true}

@rndmh3ro
Copy link
Member

rndmh3ro commented Feb 6, 2023

@MahdiAbbasi95 I had these problems, too. I tried to fix them (for me it works locally now) here: #632

Can you please pull the changes from master and test again?

@MahdiAbbasi95
Copy link
Author

@MahdiAbbasi95 I had these problems, too. I tried to fix them (for me it works locally now) here: #632

Can you please pull the changes from master and test again?

@rndmh3ro
I've checked it, but still have the same problem with some of them:

centosstream9
rocky9
ubuntu2204
opensuse

This problem for Debian images has been solved.
I'll check this issue in more detail and I'll tell you the result.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OS harden will not enable SELinux if SELinux is disabled

2 participants