Fix bug related to issue #537

[MahdiAbbasi95]

Hello,

I have fixed the bug related to issue number #537. Fixed #537

Kind regards Mahdi Abbasi

[MahdiAbbasi95]

@rndmh3ro Some pipes failed and It seems there is an issue in importing the required library for SELinux in python in the GitHub workflow. Do you have access to check it, please?

[rndmh3ro]

The tasks all run in molecule, so you can test it locally. Just install molecule, then run the following command to test the role with rocky linux 8:

export MOLECULE_DISTRO=rocky8; molecule -v test -s os_hardening

The tests probably fail becase the condition when: "'libselinux' in ansible_facts.packages" is not enough to accurately determine if selinux is installed. You'll probably have to adjust your code here.

[MahdiAbbasi95]

The tasks all run in molecule, so you can test it locally. Just install molecule, then run the following command to test the role with rocky linux 8:

export MOLECULE_DISTRO=rocky8; molecule -v test -s os_hardening

The tests probably fail becase the condition when: "'libselinux' in ansible_facts.packages" is not enough to accurately determine if selinux is installed. You'll probably have to adjust your code here.

Thanks You're right. the condition wasn't sufficient. I've fixed it. Please re-run the tasks.

[MahdiAbbasi95]

package_fact doesn't support Opensuse package manager(zypper) for checking installed packages, I don't have a standard solution for handling it. Do you have any solutions for it? Or can we ignore it for this particular distro?

@rndmh3ro

[rndmh3ro]

package_fact doesn't support Opensuse package manager(zypper) for checking installed packages, I don't have a standard solution for handling it. Do you have any solutions for it?

Suse used rpm under the hood, so you need to install then rpm python-library python310-rpm. Then you can use package_facts.

[MahdiAbbasi95]

package_fact doesn't support Opensuse package manager(zypper) for checking installed packages, I don't have a standard solution for handling it. Do you have any solutions for it?

Suse used rpm under the hood, so you need to install then rpm python-library python310-rpm. Then you can use package_facts.

Thanks, I've fixed it.

[rndmh3ro]

I thought about this whole problem some more. Basically we have several different use-cases with selinux we need to be aware of and handle:

• selinux is installed, but should not enforce: this works with os_selinux_enabled: true and os_selinux_policy: enforcing
• selinux is installed, but should not be activated: this works with os_selinux_enabled: true and os_selinux_state: disabled
• selinux isn't installed at all, but should be and be enforcing
  • we don't handle this right now because we don't install selinux
  • even worse, if a user sets os_selinux_enabled: true, they expect that selinux will be installed and enforced, however this won't happen at all
• selinux isn't installed at all, and should not be enforcing: this works with os_selinux_enabled: false

So we probably need to implement the use case selinux isn't installed at all, but should be and be enforcing. @MahdiAbbasi95 are you up to this? :)

[MahdiAbbasi95]

I thought about this whole problem some more. Basically we have several different use-cases with selinux we need to be aware of and handle:

• selinux is installed, but should not enforce: this works with os_selinux_enabled: true and os_selinux_policy: enforcing

• selinux is installed, but should not be activated: this works with os_selinux_enabled: true and os_selinux_state: disabled

• selinux isn't installed at all, but should be and be enforcing

  • we don't handle this right now because we don't install selinux
  • even worse, if a user sets os_selinux_enabled: true, they expect that selinux will be installed and enforced, however this won't happen at all

• selinux isn't installed at all, and should not be enforcing: this works with os_selinux_enabled: false

So we probably need to implement the use case selinux isn't installed at all, but should be and be enforcing. @MahdiAbbasi95 are you up to this? :)

Ok, I will implement it.

[MahdiAbbasi95]

@rndmh3ro When I want to test locally using molecule with your images, I get this error for some images such as centosstream9, rocky9, Debian and etc. I have set the remote_tmp to "/tmp", but it didn't work. I checked everything including permissions and everything seems ok, is there any special thing that we should do for testing your project locally?

fatal: [instance]: UNREACHABLE! => {"changed": false, "msg": "Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo /tmp `\"&& mkdir \"` echo /tmp/ansible-tmp-1675414554.0695782-88546-238456467597761 `\" && echo ansible-tmp-1675414554.0695782-88546-238456467597761=\"` echo /tmp/ansible-tmp-1675414554.0695782-88546-238456467597761 `\" ), exited with result 1", "unreachable": true}

[rndmh3ro]

@MahdiAbbasi95 I had these problems, too. I tried to fix them (for me it works locally now) here: https://github.com/dev-sec/ansible-collection-hardening/pull/632

Can you please pull the changes from master and test again?

[MahdiAbbasi95]

@MahdiAbbasi95 I had these problems, too. I tried to fix them (for me it works locally now) here: #632

Can you please pull the changes from master and test again?

@rndmh3ro I've checked it, but still have the same problem with some of them:

centosstream9 rocky9 ubuntu2204 opensuse

This problem for Debian images has been solved. I'll check this issue in more detail and I'll tell you the result.