search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
4.04k stars 732 forks source link

OS harden will not enable SELinux if SELinux is disabled #537

Open bgbak opened 2 years ago

bgbak commented 2 years ago

Describe the bug In the OS Hardening role SELinux will not be enabled if SELinux is already disabled

Expected behavior Expect SELinux to be enabled and configured. Actual behavior

TASK [devsec.hardening.os_hardening : Configure selinux | selinux-01] ********** 
skipping: [SELinux-Disabled]
ok: [SELinux-Enabled]

Example Playbook

---
- hosts: all
  collections:
    - devsec_hardening
  roles:
    - os_hardening

OS / Environment

Both targets running CentOS 7

Ansible Version

AWX 0.20.0 on k3s.
quay.io/ansible/awx-ee:latest as execution eniroment. No modifications

Role Version

7.14.1

Additional context This conditional will return false if SELinux is not enabled

https://github.com/dev-sec/ansible-collection-hardening/blob/1d3ea50de629eb3e54291d2a59fe378991b0037a/roles/os_hardening/tasks/hardening.yml#L96

rndmh3ro commented 2 years ago

We should probably change that. I think this worked before...

I do see one problem though: ansible_facts.selinux.status shows disabled, whether it is actually disabled or it isn't installed at all (e.g. on debian systems). So we should check if it is installed and only then continue enabling it.