validate_selinux¶
About The Role¶
An Ansible role to ensure we don’t have any SELinux denials on the host(s).
Requirements¶
No requirements.
Dependencies¶
No dependencies.
Example Playbook¶
- hosts: localhost
gather_facts: false
vars:
validate_selinux_working_dir: /tmp
validate_selinux_audit_source: /var/log/audit/audit.log
validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
validate_selinux_strict: false
validate_selinux_filter: "None"
validate_selinux_skip_list:
- entry: 'tcontext=system_u:system_r:init_t'
comment: 'This one is a real-life entry'
- entry: 'tcontext=system_u:system_r:system_dbusd_t'
comment: 'This one is another real-life entry'
roles:
- validate_selinux
License¶
Apache
Full Description¶
Role Documentation¶
Welcome to the ‘validate_selinux’ role documentation.
Role Defaults¶
This section highlights all of the defaults and variables set within the ‘validate_selinux’ role.
# All variables intended for modification should place placed in this file.
# All variables within this role should have a prefix of "validate_selinux"
# Base directory where the following files will be created:
# - /tmp/denials-skip-list.txt (see validate_selinux_skip_list_dest variable below)
# - /tmp/denials-filtered.log (see validate_selinux_filtered_denials_dest
# variable below)
validate_selinux_working_dir: /tmp
# Absolute path to the auditd log file
validate_selinux_audit_source: /var/log/audit/audit.log
# Absolute path to the denials skip list file
validate_selinux_skip_list_dest: '{{ validate_selinux_working_dir }}/denials-skip-list.txt'
# Absolute path to the file which will contain the untracked SELinux AVCs found
validate_selinux_filtered_denials_dest: '{{ validate_selinux_working_dir }}/denials-filtered.log'
# If set to true, the validation will fail if untracked denials are found,
# otherwise not.
validate_selinux_strict: false
# SELinux filter. Defaults to None
validate_selinux_filter: None
# Denials skip list
validate_selinux_skip_list: {}
Molecule Scenarios¶
Molecule is being used to test the ‘validate_selinux’ role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.
- Driver: podman:
Scenario: default¶
Molecule Platform(s)¶
- name: centos
hostname: centos
image: centos/centos:stream8
registry:
url: quay.io
dockerfile: ../../../../../.config/molecule/Dockerfile
pkg_extras: python*-setuptools python*-pyyaml
volumes:
- /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
privileged: true
environment:
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"
ulimits:
- host
Molecule Inventory¶
hosts:
all:
hosts:
centos:
ansible_python_interpreter: /usr/bin/python3
Example default playbook¶
- name: Converge
hosts: all
gather_facts: false
vars:
validate_selinux_working_dir: /tmp
tasks:
- name: Simple run without filter against clean auditlog
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: /var/log/audit-clean.log
- name: Run with filter against unclean auditlog
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: /var/log/audit-unclean.log
validate_selinux_skip_list:
- entry: tcontext=system_u:system_r:init_t
comment: This one is a real-life entry
- entry: tcontext=system_u:system_r:system_dbusd_t
comment: This one is another real-life entry
- name: Run without filter against unclean auditlog
block:
- name: Run role
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: /var/log/audit-unclean.log
validate_selinux_strict: true
rescue:
- name: Clear host error
meta: clear_host_errors
- name: Status message
debug:
msg: Successfully detected denials issue!
- name: End play
meta: end_play
- name: Fail if we get to this place
fail:
msg: 'Unit test failed: did not detect untracked denials!'
