validate_selinux

About The Role

An Ansible role to ensure we don’t have any SELinux denials on the host(s).

Requirements

No requirements.

Dependencies

No dependencies.

Example Playbook

- hosts: localhost
  gather_facts: false
  vars:
    validate_selinux_working_dir: /tmp
    validate_selinux_audit_source: /var/log/audit/audit.log
    validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
    validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
    validate_selinux_strict: false
    validate_selinux_filter: "None"
    validate_selinux_skip_list:
      - entry: 'tcontext=system_u:system_r:init_t'
        comment: 'This one is a real-life entry'
      - entry: 'tcontext=system_u:system_r:system_dbusd_t'
        comment: 'This one is another real-life entry'
  roles:
    - validate_selinux

License

Apache

Author Information

Red Hat TripleO DFG:DF Squad:VF

Full Description

Role Documentation

Welcome to the ‘validate_selinux’ role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the ‘validate_selinux’ role.

# All variables intended for modification should place placed in this file.

# All variables within this role should have a prefix of "validate_selinux"

# Base directory where the following files will be created:
# - /tmp/denials-skip-list.txt (see validate_selinux_skip_list_dest variable below)
# - /tmp/denials-filtered.log (see validate_selinux_filtered_denials_dest
#                              variable below)
validate_selinux_working_dir: /tmp

# Absolute path to the auditd log file
validate_selinux_audit_source: /var/log/audit/audit.log

# Absolute path to the denials skip list file
validate_selinux_skip_list_dest: '{{ validate_selinux_working_dir }}/denials-skip-list.txt'

# Absolute path to the file which will contain the untracked SELinux AVCs found
validate_selinux_filtered_denials_dest: '{{ validate_selinux_working_dir }}/denials-filtered.log'

# If set to true, the validation will fail if untracked denials are found,
# otherwise not.
validate_selinux_strict: false

# SELinux filter. Defaults to None
validate_selinux_filter: None

# Denials skip list
validate_selinux_skip_list: {}

Molecule Scenarios

Molecule is being used to test the ‘validate_selinux’ role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default
Driver: podman:
Molecule Platform(s)
- name: centos
  hostname: centos
  image: centos/centos:stream8
  registry:
    url: quay.io
  dockerfile: ../../../../../.config/molecule/Dockerfile
  pkg_extras: python*-setuptools python*-pyyaml
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
  privileged: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') }}"
    https_proxy: "{{ lookup('env', 'https_proxy') }}"
  ulimits:
  - host
Molecule Inventory
hosts:
  all:
    hosts:
      centos:
        ansible_python_interpreter: /usr/bin/python3
Example default playbook
- name: Converge
  hosts: all
  gather_facts: false
  vars:
    validate_selinux_working_dir: /tmp

  tasks:
  - name: Simple run without filter against clean auditlog
    include_role:
      name: validate_selinux
    vars:
      validate_selinux_audit_source: /var/log/audit-clean.log

  - name: Run with filter against unclean auditlog
    include_role:
      name: validate_selinux
    vars:
      validate_selinux_audit_source: /var/log/audit-unclean.log
      validate_selinux_skip_list:
      - entry: tcontext=system_u:system_r:init_t
        comment: This one is a real-life entry
      - entry: tcontext=system_u:system_r:system_dbusd_t
        comment: This one is another real-life entry

  - name: Run without filter against unclean auditlog
    block:
    - name: Run role
      include_role:
        name: validate_selinux
      vars:
        validate_selinux_audit_source: /var/log/audit-unclean.log
        validate_selinux_strict: true
    rescue:
    - name: Clear host error
      meta: clear_host_errors

    - name: Status message
      debug:
        msg: Successfully detected denials issue!

    - name: End play
      meta: end_play

  - name: Fail if we get to this place
    fail:
      msg: 'Unit test failed: did not detect untracked denials!'