Open alvise1988 opened 5 months ago
You might be right. To be honest, anything SELinux related wasn't really implemented by me and isn't properly tested as of today since there's no real way to test it in the current container heavy test environment. However, based on my experience when running the role against RHEL machines, there are indeed some changes that would not work without setting SELinux to permissive.
That being said, changing the default to keep SELinux in enforcing mode makes sense to me!
Describe the bug
Every time this role is run with
nginx_selinux
set totrue
, the sequence of tasks in setup-selinux.yml sets SELinux topermissive
and, after completing a few tasks, it switches it back toenforcing
.This happens even if the system is already in the desired state, which seems to be a security issue since this means that SELinux is disabled, even though for a short time, for no reason.
Moreover, even if I am not entirely sure about it, none of the tasks in the file linked above seem to require SELinux to be set to permissive even when the role is required to make changes to the system.
To reproduce
Run the role on a RHEL-based or RHEL-compatible OS (e.g. RHEL, AlmaLinux, etc.) with SELinux running and the
nginx_selinux
role variable set totrue
.Expected behavior
SELinux should always remain in
enforcing
mode unless thenginx_selinux_enforcing
role variable is set tofalse
.Your environment
Additional context
N/A