Merge "New validation: validate-selinux"
This commit is contained in:
commit
eec501b407
|
@ -0,0 +1,6 @@
|
|||
================
|
||||
validate-selinux
|
||||
================
|
||||
|
||||
.. ansibleautoplugin::
|
||||
:role: roles/validate-selinux
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- hosts: all
|
||||
vars:
|
||||
metadata:
|
||||
name: validate-selinux
|
||||
description: >-
|
||||
Ensures we don't have any SELinux denials on the system
|
||||
groups:
|
||||
- pre-deployment
|
||||
- post-deployment
|
||||
- pre-upgrade
|
||||
- post-upgrade
|
||||
validate_selinux_working_dir: /var/log/validations
|
||||
validate_selinux_audit_source: /var/log/audit/audit.log
|
||||
validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
|
||||
validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
|
||||
validate_selinux_strict: false
|
||||
validate_selinux_filter: "None"
|
||||
validate_selinux_skip_list: {}
|
||||
roles:
|
||||
- validate-selinux
|
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# All variables intended for modification should place placed in this file.
|
||||
|
||||
# All variables within this role should have a prefix of "validate_selinux"
|
||||
validate_selinux_working_dir: /var/log/validations
|
||||
validate_selinux_audit_source: /var/log/audit/audit.log
|
||||
validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
|
||||
validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
|
||||
validate_selinux_strict: false
|
||||
validate_selinux_filter: "None"
|
||||
validate_selinux_skip_list: {}
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
|
@ -0,0 +1,37 @@
|
|||
# Molecule managed
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
{% if item.registry is defined %}
|
||||
FROM {{ item.registry.url }}/{{ item.image }}
|
||||
{% else %}
|
||||
FROM {{ item.image }}
|
||||
{% endif %}
|
||||
|
||||
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
|
||||
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
|
||||
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
|
||||
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
|
||||
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
|
||||
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
|
||||
|
||||
{% for pkg in item.easy_install | default([]) %}
|
||||
# install pip for centos where there is no python-pip rpm in default repos
|
||||
RUN easy_install {{ pkg }}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
CMD ["sh", "-c", "while true; do sleep 10000; done"]
|
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: centos7
|
||||
hostname: centos7
|
||||
image: centos:7
|
||||
dockerfile: Dockerfile
|
||||
pkg_extras: python-setuptools
|
||||
easy_install:
|
||||
- pip
|
||||
environment: &env
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||
|
||||
- name: fedora28
|
||||
hostname: fedora28
|
||||
image: fedora:28
|
||||
dockerfile: Dockerfile
|
||||
pkg_extras: python*-setuptools
|
||||
environment:
|
||||
<<: *env
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_LIBRARY: "../../../../library"
|
||||
|
||||
scenario:
|
||||
test_sequence:
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
- destroy
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,63 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
gather_facts: no
|
||||
vars:
|
||||
validate_selinux_working_dir: '/tmp'
|
||||
|
||||
tasks:
|
||||
- name: Simple run without filter against clean auditlog
|
||||
include_role:
|
||||
name: validate-selinux
|
||||
vars:
|
||||
validate_selinux_audit_source: '/var/log/audit-clean.log'
|
||||
|
||||
- name: Run with filter against unclean auditlog
|
||||
include_role:
|
||||
name: validate-selinux
|
||||
vars:
|
||||
validate_selinux_audit_source: '/var/log/audit-unclean.log'
|
||||
validate_selinux_skip_list:
|
||||
- entry: 'tcontext=system_u:system_r:init_t'
|
||||
comment: 'This one is a real-life entry'
|
||||
- entry: 'tcontext=system_u:system_r:system_dbusd_t'
|
||||
comment: 'This one is another real-life entry'
|
||||
|
||||
- name: Run without filter against unclean auditlog
|
||||
block:
|
||||
- name: Run role
|
||||
include_role:
|
||||
name: validate-selinux
|
||||
vars:
|
||||
validate_selinux_audit_source: '/var/log/audit-unclean.log'
|
||||
validate_selinux_strict: true
|
||||
rescue:
|
||||
- name: Clear host error
|
||||
meta: clear_host_errors
|
||||
|
||||
- name: Status message
|
||||
debug:
|
||||
msg: 'Successfully detected denials issue!'
|
||||
|
||||
- name: End play
|
||||
meta: end_play
|
||||
|
||||
- name: Fail if we get to this place
|
||||
fail:
|
||||
msg: 'Unit test failed: did not detect untracked denials!'
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
gather_facts: no
|
||||
|
||||
tasks:
|
||||
- name: Populate fake clean auditlog
|
||||
copy:
|
||||
dest: /var/log/audit-clean.log
|
||||
owner: root
|
||||
mode: 0600
|
||||
group: root
|
||||
content: |
|
||||
type=SERVICE_START msg=audit(1575877870.934:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
|
||||
type=SERVICE_STOP msg=audit(1575878320.981:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
|
||||
type=USER_ACCT msg=audit(1575878471.739:288): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
|
||||
type=USER_CMD msg=audit(1575878471.740:289): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267202D2D696E666F20637265617465202D2D636F6D7072657373696F6E206C7A34202D2D6578636C7564652D636163686573202D2D6578636C756465202A2F2A2E6C6F636B202D2D6578636C756465202A2F2E746F78202D2D6578636C756465202A2F2E737465737472202D2D6578636C756465202A2F727562792D76656E646F72202D2D6578636C756465202A2F7A75756C2F202D2D6578636C756465202A2F73736866732F202D2D6578636C756465202A2F2E6C6F63616C2F7368617265202F6D656469612F6261636B7570732F7268656C3A3A31306130393963382D316135612D313165612D613663622D386331363435366466626265202F686F6D652F636A65616E6E6572 exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
|
||||
type=USER_ACCT msg=audit(1575878554.296:294): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
|
||||
type=USER_CMD msg=audit(1575878554.296:295): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267206C697374202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
|
||||
type=USER_ACCT msg=audit(1575878555.032:300): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
|
||||
type=USER_CMD msg=audit(1575878555.032:301): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267207072756E65202D70202D2D6B6565702D77697468696E203277202D2D7374617473202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
|
||||
type=SERVICE_START msg=audit(1575878869.915:306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
|
||||
type=SERVICE_STOP msg=audit(1575878900.615:312): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
|
||||
|
||||
- name: Populate unclean auditlog
|
||||
copy:
|
||||
dest: /var/log/audit-unclean.log
|
||||
owner: root
|
||||
mode: 0600
|
||||
group: root
|
||||
content: |
|
||||
type=AVC msg=audit(1575534183.234:4933): avc: denied { write } for pid=11266 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1
|
||||
type=AVC msg=audit(1575534183.342:4934): avc: denied { write } for pid=11284 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1
|
||||
type=USER_AVC msg=audit(1575535009.861:5275): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=38869 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
type=USER_AVC msg=audit(1575535009.861:5276): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=38869 tpid=1 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
type=USER_AVC msg=audit(1575535009.862:5277): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1198 spid=1 tpid=38869 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c313,c573 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
type=USER_AVC msg=audit(1575535013.340:5290): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39132 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
type=USER_AVC msg=audit(1575535013.341:5291): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39132 tpid=1 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
type=USER_AVC msg=audit(1575535013.342:5292): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1209 spid=1 tpid=39132 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c192,c917 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
type=USER_AVC msg=audit(1575535028.912:5307): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39430 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
type=USER_AVC msg=audit(1575535028.913:5308): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39430 tpid=1 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
|
@ -0,0 +1,123 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# "validate-selinux" tasks
|
||||
|
||||
- name: "Ensure {{ validate_selinux_audit_source }} does exist"
|
||||
become: true
|
||||
stat:
|
||||
path: "{{ validate_selinux_audit_source }}"
|
||||
register: auditlog_stat
|
||||
|
||||
- name: "Fail if {{ validate_selinux_audit_source }} does not exit"
|
||||
when: not auditlog_stat.stat.exists
|
||||
fail:
|
||||
msg: "ERROR: {{ validate_selinux_audit_source }} does not exist!"
|
||||
|
||||
- name: Load skip list from provided file
|
||||
when:
|
||||
- validate_selinux_filter != 'None'
|
||||
- validate_selinux_skip_list is not defined
|
||||
include_vars: "{{ validate_selinux_filter }}"
|
||||
|
||||
- name: Gather subset of facts
|
||||
setup:
|
||||
gather_subset: "!min,distribution_major_version"
|
||||
when:
|
||||
- validate_selinux_filter == 'None'
|
||||
- validate_selinux_skip_list is not defined
|
||||
- ansible_distribution_major_version is not defined
|
||||
|
||||
- name: Load skip list variables (undercloud or overcloud)
|
||||
when:
|
||||
- validate_selinux_skip_list is not defined
|
||||
include_vars: "{{ lookup('first_found', lookhere, errors='ignore') }}"
|
||||
vars:
|
||||
lookhere:
|
||||
- "selinux_skip_{{ release }}_on_{{ ansible_distribution_major_version }}.yml"
|
||||
- "selinux_skip_{{ release }}.yml"
|
||||
|
||||
- name: Fetch denials from auditlog
|
||||
become: true
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep denied {{ validate_selinux_audit_source }} > /tmp/denials.log
|
||||
|
||||
- name: Get stat for denials.log
|
||||
stat:
|
||||
path: /tmp/denials.log
|
||||
register: denials_log
|
||||
|
||||
- name: Everything is fine
|
||||
when: denials_log.stat.size == 0
|
||||
debug:
|
||||
msg: "No untracked SELinux AVC detected, congratulations!"
|
||||
|
||||
- name: Next steps only if we have denials
|
||||
when: denials_log.stat.size > 0
|
||||
block:
|
||||
- name: Create skip list
|
||||
when: validate_selinux_skip_list != {}
|
||||
template:
|
||||
src: skip-list.j2
|
||||
dest: "{{ validate_selinux_skip_list_dest }}"
|
||||
mode: 0644
|
||||
|
||||
- name: Filter out denials
|
||||
when: validate_selinux_skip_list != {}
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep -v -f {{ validate_selinux_skip_list_dest }} /tmp/denials.log > {{ validate_selinux_filtered_denials_dest }}
|
||||
|
||||
- name: No skip_list
|
||||
when: validate_selinux_skip_list == {}
|
||||
copy:
|
||||
remote_src: true
|
||||
src: /tmp/denials.log
|
||||
dest: "{{ validate_selinux_filtered_denials_dest }}"
|
||||
|
||||
- name: Get stat for filtered denials
|
||||
stat:
|
||||
path: "{{ validate_selinux_filtered_denials_dest }}"
|
||||
register: denials_stat
|
||||
|
||||
- name: debug
|
||||
debug:
|
||||
var: denials_stat
|
||||
|
||||
- name: Fail if we found untracked denials
|
||||
when:
|
||||
- validate_selinux_strict|bool
|
||||
- denials_stat.stat.size != 0
|
||||
fail:
|
||||
msg: "Untracked SELinux AVCs found, please refer to {{ validate_selinux_filtered_denials_dest }}"
|
||||
|
||||
- name: Output information in case we do not fail
|
||||
when:
|
||||
- not validate_selinux_strict|bool
|
||||
- denials_stat.stat.size != 0
|
||||
debug:
|
||||
msg: "Untracked SELinux AVCs found, please refer to {{ validate_selinux_filtered_denials_dest }}"
|
||||
|
||||
- name: Output information if everything is fine
|
||||
when: denials_stat.stat.size == 0
|
||||
debug:
|
||||
msg: "No untracked SELinux AVC detected, congratulations!"
|
|
@ -0,0 +1,3 @@
|
|||
{% for entry in validate_selinux_skip_list %}
|
||||
{{ entry.entry }}
|
||||
{% endfor %}
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# While options found within the vars/ path can be overridden using extra
|
||||
# vars, items within this path are considered part of the role and not
|
||||
# intended to be modified.
|
||||
|
||||
# All variables within this role should have a prefix of "validate-selinux"
|
|
@ -1,7 +1,6 @@
|
|||
---
|
||||
- project-template:
|
||||
check:
|
||||
queue: integrated
|
||||
jobs:
|
||||
- tripleo-validations-centos-7-molecule-controller-token
|
||||
- tripleo-validations-centos-7-molecule-controller-ulimits
|
||||
|
@ -23,8 +22,9 @@
|
|||
- tripleo-validations-centos-7-molecule-rabbitmq-limits
|
||||
- tripleo-validations-centos-7-molecule-stonith-exists
|
||||
- tripleo-validations-centos-7-molecule-check-latest-packages-version
|
||||
- tripleo-validations-centos-7-molecule-validate-selinux
|
||||
queue: integrated
|
||||
gate:
|
||||
queue: integrated
|
||||
jobs:
|
||||
- tripleo-validations-centos-7-molecule-controller-token
|
||||
- tripleo-validations-centos-7-molecule-controller-ulimits
|
||||
|
@ -46,6 +46,8 @@
|
|||
- tripleo-validations-centos-7-molecule-rabbitmq-limits
|
||||
- tripleo-validations-centos-7-molecule-stonith-exists
|
||||
- tripleo-validations-centos-7-molecule-check-latest-packages-version
|
||||
- tripleo-validations-centos-7-molecule-validate-selinux
|
||||
queue: integrated
|
||||
name: tripleo-validations-molecule-jobs
|
||||
- job:
|
||||
files:
|
||||
|
@ -122,9 +124,9 @@
|
|||
- ^roles/xfs-check-ftype/.*
|
||||
name: tripleo-validations-centos-7-molecule-xfs-check-ftype
|
||||
parent: tripleo-validations-centos-7-base
|
||||
voting: false
|
||||
vars:
|
||||
tripleo_validations_role_name: xfs-check-ftype
|
||||
voting: false
|
||||
- job:
|
||||
files:
|
||||
- ^roles/no-op-firewall-nova-driver/.*
|
||||
|
@ -188,3 +190,10 @@
|
|||
parent: tripleo-validations-centos-7-base
|
||||
vars:
|
||||
tripleo_validations_role_name: check-latest-packages-version
|
||||
- job:
|
||||
files:
|
||||
- ^roles/validate-selinux/.*
|
||||
name: tripleo-validations-centos-7-molecule-validate-selinux
|
||||
parent: tripleo-validations-centos-7-base
|
||||
vars:
|
||||
tripleo_validations_role_name: validate-selinux
|
||||
|
|
Loading…
Reference in New Issue