From bf28fdfe90fe5a16c57f5c4c18cff9510bed2423 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 1 Jun 2016 13:22:12 -0500
Subject: [PATCH] Search for unlabeled device files

The checks for V-51379 didn't apply for Ubuntu and they were
unintentionally skipped in CentOS after the multi-distro work
was completed.

This patch adds a search for unlabeled device files on CentOS 7 systems
and halts the playbook if an unlabeled device is found. This is a very
rare occurrence.

Documentation updates and release notes are provided.

Closes-bug: 1584196

Change-Id: Iba4be3bc5fa607685e3b4eeefda35f93894c7f28
---
 doc/source/developer-notes/V-51379.rst        | 13 +++++++-----
 ...or-unlabeled-devices-cb047c5f767e93ce.yaml |  6 ++++++
 tasks/misc.yml                                | 21 +++++++++++++++++++
 3 files changed, 35 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml

diff --git a/doc/source/developer-notes/V-51379.rst b/doc/source/developer-notes/V-51379.rst
index 393e1b4f..ad0db536 100644
--- a/doc/source/developer-notes/V-51379.rst
+++ b/doc/source/developer-notes/V-51379.rst
@@ -1,7 +1,10 @@
-**Exception**
+**Exception for Ubuntu**
+
+The security role will search for unlabeled devices on CentOS and the playbook
+will fail with an error message if any unlabeled devices are found.
 
 Although SELinux works through a labeling system where every file (including
-devices) receive a label, AppArmor works purely through policies without
-labels. However, openstack-ansible does configure several AppArmor policies
-to reduce the chances and impact of LXC container breakouts on OpenStack
-hosts.
+devices) receives a label, AppArmor on Ubuntu works purely through policies
+without labels. However, OpenStack-Ansible does configure several AppArmor
+policies to reduce the chances and impact of LXC container breakouts on
+OpenStack hosts.
diff --git a/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml b/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml
new file mode 100644
index 00000000..15742b3f
--- /dev/null
+++ b/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Tasks were added to search for any device files without a proper SELinux
+    label on CentOS systems. If any of these device labels are found, the
+    playbook execution will stop with an error message.
diff --git a/tasks/misc.yml b/tasks/misc.yml
index da950a1d..fbf7ad33 100644
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@@ -412,3 +412,24 @@
   tags:
     - cat2
     - V-38674
+
+- name: Check for unlabeled device files (for V-51379)
+  shell: "find /dev -context '*unlabeled_t*'"
+  register: v51379_unlabeled_devices
+  always_run: True
+  when:
+    - ansible_os_family == 'RedHat'
+  tags:
+    - cat1
+    - V-51379
+
+- name: V-51379 - All device files must be monitored by the Linux Security Module
+  fail:
+    msg: "Devices were found without SELinux labels: {{ v51379_unlabeled_devices.stdout_lines | join(', ') }}"
+  when:
+    - ansible_os_family == 'RedHat'
+    - v51379_unlabeled_devices.stdout is defined
+    - v51379_unlabeled_devices.stdout | length > 0
+  tags:
+    - cat1
+    - V-51379