Selinux enforcing support for RHEL/Centos #173
Conversation
README.md
Outdated
| @@ -95,6 +95,8 @@ It will not: | |||
| * ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4) | |||
| * telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2) | |||
| * rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3) | |||
| * `default['os-hardening']['security']['selinux_mode'] = 'unmanaged'` | |||
There was a problem hiding this comment.
Could you please remove the default here? We do not mention the precedence level in the docs, as it might differ (e.g. use can use it with override level)
recipes/default.rb
Outdated
| @@ -30,3 +30,4 @@ | |||
| include_recipe('os-hardening::suid_sgid') if node['os-hardening']['security']['suid_sgid']['enforce'] | |||
| include_recipe('os-hardening::sysctl') | |||
| include_recipe('os-hardening::auditd') | |||
| include_recipe('os-hardening::selinux') | |||
There was a problem hiding this comment.
Suggestion: do something like
include_recipe('os-hardening::selinux') if node['platform_family'] == 'rhel' || node['platform_family'] == 'fedora'So this recipe would be invoked only on RHEL systems, which are SELinux capable
| group 'root' | ||
| variables selinux_mode: node['os-hardening']['security']['selinux_mode'] | ||
| end | ||
| end |
There was a problem hiding this comment.
Suggestion: add an else condition to raise an exception on unsupported systems, e.g.
case node['platform_family']
when 'rhel', 'fedora'
...
else
raise "Selinux recipe is not supported on the platform family #{node['platform_family']}"
end
recipes/selinux.rb
Outdated
| case node['platform_family'] | ||
| when 'rhel', 'fedora' | ||
| unless node['os-hardening']['security']['selinux_mode'] == 'unmanaged' | ||
| if node['os-hardening']['security']['selinux_mode'] == 'enforcing' |
There was a problem hiding this comment.
Suggestion:
unless ...
semode = case node['os-hardening']['security']['selinux_mode']
when 'enforcing'
'Enforcing'
when 'permissive'
'Permissive'
else
raise "Unsupported selinux mode #{node['os-hardening']['security']['selinux_mode']}"
end
execute "Set selinux mode to #{semode}" do
command "setenforce #{semod}"
not_if "getenforce | grep -F '#{semode}'"
end
...
endThere was a problem hiding this comment.
tanks for this suggestion. So it is easier to read.
recipes/selinux.rb
Outdated
|
|
||
| template '/etc/selinux/config' do | ||
| source 'rhel_selinuxconfig.erb' | ||
| mode 0544 |
There was a problem hiding this comment.
unsure, do we need 0544 here? not 0644 ?
lets have an attribute that allows to set SELinux mode to enforce/ permissive or let it as it is.
|
Many thanks for your hints and suggestions. They are implemented. |
|
Full CI test is available here: https://travis-ci.org/artem-forks/chef-os-hardening/builds/290410563 |
There was a problem hiding this comment.
@AnMoeller many thanks! Looks good to me
@atomic111 any remarks?
|
@atomic111 there is some issue with DO image name (centos 7), I'll fix it in another PR today. Then we probably can rebase this PR |
|
It looks like the issue with centos DO image was already fixed in master, so I'm merging this. @AnMoeller many thanks! |
lets have an attribute for enforcing or permissiving SELinuxon RHEL/Centos.
Implementation like suggested in issue: #106