diff --git a/doc/source/roles/role-validate-selinux.rst b/doc/source/roles/role-validate-selinux.rst new file mode 100644 index 000000000..a6b31271d --- /dev/null +++ b/doc/source/roles/role-validate-selinux.rst @@ -0,0 +1,6 @@ +================ +validate-selinux +================ + +.. ansibleautoplugin:: + :role: roles/validate-selinux diff --git a/playbooks/validate-selinux.yaml b/playbooks/validate-selinux.yaml new file mode 100644 index 000000000..92f275f8b --- /dev/null +++ b/playbooks/validate-selinux.yaml @@ -0,0 +1,21 @@ +--- +- hosts: all + vars: + metadata: + name: validate-selinux + description: >- + Ensures we don't have any SELinux denials on the system + groups: + - pre-deployment + - post-deployment + - pre-upgrade + - post-upgrade + validate_selinux_working_dir: /var/log/validations + validate_selinux_audit_source: /var/log/audit/audit.log + validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt" + validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log" + validate_selinux_strict: false + validate_selinux_filter: "None" + validate_selinux_skip_list: {} + roles: + - validate-selinux diff --git a/roles/validate-selinux/defaults/main.yml b/roles/validate-selinux/defaults/main.yml new file mode 100644 index 000000000..c7f0a32e5 --- /dev/null +++ b/roles/validate-selinux/defaults/main.yml @@ -0,0 +1,27 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should place placed in this file. + +# All variables within this role should have a prefix of "validate_selinux" +validate_selinux_working_dir: /var/log/validations +validate_selinux_audit_source: /var/log/audit/audit.log +validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt" +validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log" +validate_selinux_strict: false +validate_selinux_filter: "None" +validate_selinux_skip_list: {} diff --git a/roles/validate-selinux/handlers/main.yml b/roles/validate-selinux/handlers/main.yml new file mode 100644 index 000000000..dfd4c7352 --- /dev/null +++ b/roles/validate-selinux/handlers/main.yml @@ -0,0 +1,15 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. diff --git a/roles/validate-selinux/molecule/default/Dockerfile b/roles/validate-selinux/molecule/default/Dockerfile new file mode 100644 index 000000000..1b91a0e0b --- /dev/null +++ b/roles/validate-selinux/molecule/default/Dockerfile @@ -0,0 +1,37 @@ +# Molecule managed +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi + +{% for pkg in item.easy_install | default([]) %} +# install pip for centos where there is no python-pip rpm in default repos +RUN easy_install {{ pkg }} +{% endfor %} + + +CMD ["sh", "-c", "while true; do sleep 10000; done"] diff --git a/roles/validate-selinux/molecule/default/molecule.yml b/roles/validate-selinux/molecule/default/molecule.yml new file mode 100644 index 000000000..1dbdf8927 --- /dev/null +++ b/roles/validate-selinux/molecule/default/molecule.yml @@ -0,0 +1,49 @@ +--- +driver: + name: docker + +log: true + +platforms: + - name: centos7 + hostname: centos7 + image: centos:7 + dockerfile: Dockerfile + pkg_extras: python-setuptools + easy_install: + - pip + environment: &env + http_proxy: "{{ lookup('env', 'http_proxy') }}" + https_proxy: "{{ lookup('env', 'https_proxy') }}" + + - name: fedora28 + hostname: fedora28 + image: fedora:28 + dockerfile: Dockerfile + pkg_extras: python*-setuptools + environment: + <<: *env + +provisioner: + name: ansible + log: true + env: + ANSIBLE_STDOUT_CALLBACK: yaml + ANSIBLE_LIBRARY: "../../../../library" + +scenario: + test_sequence: + - destroy + - create + - prepare + - converge + - verify + - destroy + +lint: + enabled: false + +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/validate-selinux/molecule/default/playbook.yml b/roles/validate-selinux/molecule/default/playbook.yml new file mode 100644 index 000000000..1ec3876fe --- /dev/null +++ b/roles/validate-selinux/molecule/default/playbook.yml @@ -0,0 +1,63 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Converge + hosts: all + gather_facts: no + vars: + validate_selinux_working_dir: '/tmp' + + tasks: + - name: Simple run without filter against clean auditlog + include_role: + name: validate-selinux + vars: + validate_selinux_audit_source: '/var/log/audit-clean.log' + + - name: Run with filter against unclean auditlog + include_role: + name: validate-selinux + vars: + validate_selinux_audit_source: '/var/log/audit-unclean.log' + validate_selinux_skip_list: + - entry: 'tcontext=system_u:system_r:init_t' + comment: 'This one is a real-life entry' + - entry: 'tcontext=system_u:system_r:system_dbusd_t' + comment: 'This one is another real-life entry' + + - name: Run without filter against unclean auditlog + block: + - name: Run role + include_role: + name: validate-selinux + vars: + validate_selinux_audit_source: '/var/log/audit-unclean.log' + validate_selinux_strict: true + rescue: + - name: Clear host error + meta: clear_host_errors + + - name: Status message + debug: + msg: 'Successfully detected denials issue!' + + - name: End play + meta: end_play + + - name: Fail if we get to this place + fail: + msg: 'Unit test failed: did not detect untracked denials!' diff --git a/roles/validate-selinux/molecule/default/prepare.yml b/roles/validate-selinux/molecule/default/prepare.yml new file mode 100644 index 000000000..aa045ab9a --- /dev/null +++ b/roles/validate-selinux/molecule/default/prepare.yml @@ -0,0 +1,57 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Prepare + hosts: all + gather_facts: no + + tasks: + - name: Populate fake clean auditlog + copy: + dest: /var/log/audit-clean.log + owner: root + mode: 0600 + group: root + content: | + type=SERVICE_START msg=audit(1575877870.934:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" + type=SERVICE_STOP msg=audit(1575878320.981:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" + type=USER_ACCT msg=audit(1575878471.739:288): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" + type=USER_CMD msg=audit(1575878471.740:289): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267202D2D696E666F20637265617465202D2D636F6D7072657373696F6E206C7A34202D2D6578636C7564652D636163686573202D2D6578636C756465202A2F2A2E6C6F636B202D2D6578636C756465202A2F2E746F78202D2D6578636C756465202A2F2E737465737472202D2D6578636C756465202A2F727562792D76656E646F72202D2D6578636C756465202A2F7A75756C2F202D2D6578636C756465202A2F73736866732F202D2D6578636C756465202A2F2E6C6F63616C2F7368617265202F6D656469612F6261636B7570732F7268656C3A3A31306130393963382D316135612D313165612D613663622D386331363435366466626265202F686F6D652F636A65616E6E6572 exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset" + type=USER_ACCT msg=audit(1575878554.296:294): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" + type=USER_CMD msg=audit(1575878554.296:295): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267206C697374202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset" + type=USER_ACCT msg=audit(1575878555.032:300): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" + type=USER_CMD msg=audit(1575878555.032:301): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267207072756E65202D70202D2D6B6565702D77697468696E203277202D2D7374617473202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset" + type=SERVICE_START msg=audit(1575878869.915:306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" + type=SERVICE_STOP msg=audit(1575878900.615:312): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" + + - name: Populate unclean auditlog + copy: + dest: /var/log/audit-unclean.log + owner: root + mode: 0600 + group: root + content: | + type=AVC msg=audit(1575534183.234:4933): avc: denied { write } for pid=11266 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1 + type=AVC msg=audit(1575534183.342:4934): avc: denied { write } for pid=11284 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1 + type=USER_AVC msg=audit(1575535009.861:5275): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=38869 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + type=USER_AVC msg=audit(1575535009.861:5276): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=38869 tpid=1 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + type=USER_AVC msg=audit(1575535009.862:5277): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1198 spid=1 tpid=38869 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c313,c573 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + type=USER_AVC msg=audit(1575535013.340:5290): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39132 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + type=USER_AVC msg=audit(1575535013.341:5291): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39132 tpid=1 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + type=USER_AVC msg=audit(1575535013.342:5292): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1209 spid=1 tpid=39132 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c192,c917 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + type=USER_AVC msg=audit(1575535028.912:5307): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39430 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + type=USER_AVC msg=audit(1575535028.913:5308): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39430 tpid=1 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" diff --git a/roles/validate-selinux/molecule/default/verify.yml b/roles/validate-selinux/molecule/default/verify.yml new file mode 100644 index 000000000..dfd4c7352 --- /dev/null +++ b/roles/validate-selinux/molecule/default/verify.yml @@ -0,0 +1,15 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. diff --git a/roles/validate-selinux/tasks/main.yml b/roles/validate-selinux/tasks/main.yml new file mode 100644 index 000000000..d0ef3a050 --- /dev/null +++ b/roles/validate-selinux/tasks/main.yml @@ -0,0 +1,123 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# "validate-selinux" tasks + +- name: "Ensure {{ validate_selinux_audit_source }} does exist" + become: true + stat: + path: "{{ validate_selinux_audit_source }}" + register: auditlog_stat + +- name: "Fail if {{ validate_selinux_audit_source }} does not exit" + when: not auditlog_stat.stat.exists + fail: + msg: "ERROR: {{ validate_selinux_audit_source }} does not exist!" + +- name: Load skip list from provided file + when: + - validate_selinux_filter != 'None' + - validate_selinux_skip_list is not defined + include_vars: "{{ validate_selinux_filter }}" + +- name: Gather subset of facts + setup: + gather_subset: "!min,distribution_major_version" + when: + - validate_selinux_filter == 'None' + - validate_selinux_skip_list is not defined + - ansible_distribution_major_version is not defined + +- name: Load skip list variables (undercloud or overcloud) + when: + - validate_selinux_skip_list is not defined + include_vars: "{{ lookup('first_found', lookhere, errors='ignore') }}" + vars: + lookhere: + - "selinux_skip_{{ release }}_on_{{ ansible_distribution_major_version }}.yml" + - "selinux_skip_{{ release }}.yml" + +- name: Fetch denials from auditlog + become: true + ignore_errors: true + changed_when: false + shell: | + set -o pipefail + grep denied {{ validate_selinux_audit_source }} > /tmp/denials.log + +- name: Get stat for denials.log + stat: + path: /tmp/denials.log + register: denials_log + +- name: Everything is fine + when: denials_log.stat.size == 0 + debug: + msg: "No untracked SELinux AVC detected, congratulations!" + +- name: Next steps only if we have denials + when: denials_log.stat.size > 0 + block: + - name: Create skip list + when: validate_selinux_skip_list != {} + template: + src: skip-list.j2 + dest: "{{ validate_selinux_skip_list_dest }}" + mode: 0644 + + - name: Filter out denials + when: validate_selinux_skip_list != {} + ignore_errors: true + changed_when: false + shell: | + set -o pipefail + grep -v -f {{ validate_selinux_skip_list_dest }} /tmp/denials.log > {{ validate_selinux_filtered_denials_dest }} + + - name: No skip_list + when: validate_selinux_skip_list == {} + copy: + remote_src: true + src: /tmp/denials.log + dest: "{{ validate_selinux_filtered_denials_dest }}" + + - name: Get stat for filtered denials + stat: + path: "{{ validate_selinux_filtered_denials_dest }}" + register: denials_stat + + - name: debug + debug: + var: denials_stat + + - name: Fail if we found untracked denials + when: + - validate_selinux_strict|bool + - denials_stat.stat.size != 0 + fail: + msg: "Untracked SELinux AVCs found, please refer to {{ validate_selinux_filtered_denials_dest }}" + + - name: Output information in case we do not fail + when: + - not validate_selinux_strict|bool + - denials_stat.stat.size != 0 + debug: + msg: "Untracked SELinux AVCs found, please refer to {{ validate_selinux_filtered_denials_dest }}" + + - name: Output information if everything is fine + when: denials_stat.stat.size == 0 + debug: + msg: "No untracked SELinux AVC detected, congratulations!" diff --git a/roles/validate-selinux/templates/skip-list.j2 b/roles/validate-selinux/templates/skip-list.j2 new file mode 100644 index 000000000..4409f3eaf --- /dev/null +++ b/roles/validate-selinux/templates/skip-list.j2 @@ -0,0 +1,3 @@ +{% for entry in validate_selinux_skip_list %} +{{ entry.entry }} +{% endfor %} diff --git a/roles/validate-selinux/vars/main.yml b/roles/validate-selinux/vars/main.yml new file mode 100644 index 000000000..d5c33ce10 --- /dev/null +++ b/roles/validate-selinux/vars/main.yml @@ -0,0 +1,22 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# While options found within the vars/ path can be overridden using extra +# vars, items within this path are considered part of the role and not +# intended to be modified. + +# All variables within this role should have a prefix of "validate-selinux" \ No newline at end of file diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index a1b45d4ae..81de16f7b 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -1,7 +1,6 @@ --- - project-template: check: - queue: integrated jobs: - tripleo-validations-centos-7-molecule-controller-token - tripleo-validations-centos-7-molecule-controller-ulimits @@ -23,8 +22,9 @@ - tripleo-validations-centos-7-molecule-rabbitmq-limits - tripleo-validations-centos-7-molecule-stonith-exists - tripleo-validations-centos-7-molecule-check-latest-packages-version + - tripleo-validations-centos-7-molecule-validate-selinux + queue: integrated gate: - queue: integrated jobs: - tripleo-validations-centos-7-molecule-controller-token - tripleo-validations-centos-7-molecule-controller-ulimits @@ -46,6 +46,8 @@ - tripleo-validations-centos-7-molecule-rabbitmq-limits - tripleo-validations-centos-7-molecule-stonith-exists - tripleo-validations-centos-7-molecule-check-latest-packages-version + - tripleo-validations-centos-7-molecule-validate-selinux + queue: integrated name: tripleo-validations-molecule-jobs - job: files: @@ -122,9 +124,9 @@ - ^roles/xfs-check-ftype/.* name: tripleo-validations-centos-7-molecule-xfs-check-ftype parent: tripleo-validations-centos-7-base - voting: false vars: tripleo_validations_role_name: xfs-check-ftype + voting: false - job: files: - ^roles/no-op-firewall-nova-driver/.* @@ -188,3 +190,10 @@ parent: tripleo-validations-centos-7-base vars: tripleo_validations_role_name: check-latest-packages-version +- job: + files: + - ^roles/validate-selinux/.* + name: tripleo-validations-centos-7-molecule-validate-selinux + parent: tripleo-validations-centos-7-base + vars: + tripleo_validations_role_name: validate-selinux