ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

OS harden will not enable SELinux if SELinux is disabled

Open bgbak opened this issue 2 years ago • 1 comments

Describe the bug In the OS Hardening role SELinux will not be enabled if SELinux is already disabled

Expected behavior Expect SELinux to be enabled and configured. Actual behavior

TASK [devsec.hardening.os_hardening : Configure selinux | selinux-01] ********** 
skipping: [SELinux-Disabled]
ok: [SELinux-Enabled]

Example Playbook

---
- hosts: all
  collections:
    - devsec_hardening
  roles:
    - os_hardening

OS / Environment

Both targets running CentOS 7

Ansible Version

AWX 0.20.0 on k3s.
quay.io/ansible/awx-ee:latest as execution eniroment. No modifications

Role Version

7.14.1

Additional context This conditional will return false if SELinux is not enabled

https://github.com/dev-sec/ansible-collection-hardening/blob/1d3ea50de629eb3e54291d2a59fe378991b0037a/roles/os_hardening/tasks/hardening.yml#L96

bgbak avatar Apr 27 '22 10:04 bgbak

We should probably change that. I think this worked before...

I do see one problem though: ansible_facts.selinux.status shows disabled, whether it is actually disabled or it isn't installed at all (e.g. on debian systems). So we should check if it is installed and only then continue enabling it.

rndmh3ro avatar May 09 '22 08:05 rndmh3ro