search

nginxinc / ansible-role-nginx

Ansible role for installing NGINX
https://galaxy.ansible.com/nginxinc/nginx
Apache License 2.0
618 stars 340 forks source link

SELinux set to permissive during role run #683

Open alvise1988 opened 5 months ago

alvise1988 commented 5 months ago

Describe the bug

Every time this role is run with nginx_selinux set to true, the sequence of tasks in setup-selinux.yml sets SELinux to permissive and, after completing a few tasks, it switches it back to enforcing.

This happens even if the system is already in the desired state, which seems to be a security issue since this means that SELinux is disabled, even though for a short time, for no reason.

Moreover, even if I am not entirely sure about it, none of the tasks in the file linked above seem to require SELinux to be set to permissive even when the role is required to make changes to the system.

To reproduce

Run the role on a RHEL-based or RHEL-compatible OS (e.g. RHEL, AlmaLinux, etc.) with SELinux running and the nginx_selinux role variable set to true.

Expected behavior

SELinux should always remain in enforcing mode unless the nginx_selinux_enforcing role variable is set to false.

Your environment

Additional context

N/A

alessfg commented 5 months ago

You might be right. To be honest, anything SELinux related wasn't really implemented by me and isn't properly tested as of today since there's no real way to test it in the current container heavy test environment. However, based on my experience when running the role against RHEL machines, there are indeed some changes that would not work without setting SELinux to permissive.

That being said, changing the default to keep SELinux in enforcing mode makes sense to me!