Merge pull request #11245 from rumch-se/fix_in_sebool_ansible

Fix in sebool ansible
ComplianceAsCode · Dec 8, 2023 · c8bdaa4 · c8bdaa4
2 parents f5f16a1 + 4cbbaae
commit c8bdaa4
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 24 deletions.
diff --git a/shared/templates/sebool/ansible.template b/shared/templates/sebool/ansible.template
@@ -4,34 +4,44 @@
 # complexity = low
 # disruption = low
 
-{{% if SEBOOL_BOOL %}}
-- name: Set SELinux boolean {{{ SEBOOLID }}} to {{{ SEBOOL_BOOL }}}
-  seboolean:
-    name: "{{{ SEBOOLID }}}"
-    state: "{{{ SEBOOL_BOOL }}}"
-    persistent: yes
-{{% else %}}
-- (xccdf-var var_{{{ SEBOOLID }}})
-
 {{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
-- name: Ensure python3-libsemanage installed
-  package:
-    name: python3-libsemanage
-    state: present
+{{% set PACKAGE_NAME = "python3-libsemanage" %}}
 {{% elif product == "sle15" %}}
-- name: Ensure policycoreutils installed
+{{% set PACKAGE_NAME = "policycoreutils" %}}
+{{% else %}}
+{{% set PACKAGE_NAME = "libsemanage-python" %}}
+{{% endif %}}
+
+- name: "{{{ rule_title }}} - Ensure {{{ PACKAGE_NAME }}} Installed"
   package:
-    name: policycoreutils
+    name: "{{{ PACKAGE_NAME }}}"
     state: present
-{{% else %}}
-- name: Ensure libsemanage-python installed
+
+{{% if product == "sle15" %}}
+- name: "{{{ rule_title }}} - Ensure Additional Packages Installed"
+  become: yes
   package:
-    name: libsemanage-python
+    name:
+      - policycoreutils-python-utils
+      - selinux-tools
+      - python3-selinux
+      - python3-semanage
     state: present
 {{% endif %}}
-- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
+
+{{% if SEBOOL_BOOL %}}
+- name: "{{{ rule_title }}} - Set SELinux Boolean {{{ SEBOOLID }}} to {{{ SEBOOL_BOOL }}}"
+  seboolean:
+    name: "{{{ SEBOOLID }}}"
+    state: "{{{ SEBOOL_BOOL }}}"
+    persistent: yes
+  when: ansible_facts.selinux.status == 'enabled'  
+{{% else %}}
+- (xccdf-var var_{{{ SEBOOLID }}})
+- name: "{{{ rule_title }}} - Set SELinux Boolean {{{ SEBOOLID }}} Accordingly"
   seboolean:
     name: {{{ SEBOOLID }}}
     state: "{{ var_{{{ SEBOOLID }}} }}"
     persistent: yes
+  when: ansible_facts.selinux.status == 'enabled'  
 {{% endif %}}
diff --git a/shared/templates/sebool/bash.template b/shared/templates/sebool/bash.template
@@ -4,14 +4,26 @@
 # complexity = low
 # disruption = low
 
-{{% if product == "sle15" %}}
+{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+{{{ bash_package_install("python3-libsemanage") }}}
+{{% elif product == "sle15" %}}
 {{{ bash_package_install("policycoreutils") }}}
+{{{ bash_package_install("policycoreutils-python-utils") }}}
+{{{ bash_package_install("selinux-tools") }}}
+{{{ bash_package_install("python3-selinux") }}}
+{{{ bash_package_install("python3-semanage") }}}
+{{% else %}}
+{{{ bash_package_install("libsemanage-python") }}}
 {{% endif %}}
 
+if selinuxenabled; then
 {{% if SEBOOL_BOOL %}}
-setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}}
+    setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}}
 {{% else %}}
-{{{ bash_instantiate_variables("var_" + SEBOOLID) }}}
-
-setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}}
+    {{{ bash_instantiate_variables("var_" + SEBOOLID) }}}
+    setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}}
 {{% endif %}}
+else
+    echo "Skipping remediation, SELinux is disabled";
+    false
+fi