Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SELinux set to permissive during role run #683

Open
alvise1988 opened this issue Dec 30, 2023 · 1 comment
Open

SELinux set to permissive during role run #683

alvise1988 opened this issue Dec 30, 2023 · 1 comment
Labels
enhancement Enhance/improve an existing feature

Comments

@alvise1988
Copy link

Describe the bug

Every time this role is run with nginx_selinux set to true, the sequence of tasks in setup-selinux.yml sets SELinux to permissive and, after completing a few tasks, it switches it back to enforcing.

This happens even if the system is already in the desired state, which seems to be a security issue since this means that SELinux is disabled, even though for a short time, for no reason.

Moreover, even if I am not entirely sure about it, none of the tasks in the file linked above seem to require SELinux to be set to permissive even when the role is required to make changes to the system.

To reproduce

Run the role on a RHEL-based or RHEL-compatible OS (e.g. RHEL, AlmaLinux, etc.) with SELinux running and the nginx_selinux role variable set to true.

Expected behavior

SELinux should always remain in enforcing mode unless the nginx_selinux_enforcing role variable is set to false.

Your environment

  • Version of nginxinc.nginx_core: 0.8.0 (ansible-role-nginx: 0.24.0)
  • Version of Ansible: 9.1.0
  • Target deployment platform: AlmaLinux 8.9

Additional context

N/A

@alessfg
Copy link
Collaborator

alessfg commented Jan 2, 2024

You might be right. To be honest, anything SELinux related wasn't really implemented by me and isn't properly tested as of today since there's no real way to test it in the current container heavy test environment. However, based on my experience when running the role against RHEL machines, there are indeed some changes that would not work without setting SELinux to permissive.

That being said, changing the default to keep SELinux in enforcing mode makes sense to me!

@alessfg alessfg added the enhancement Enhance/improve an existing feature label Jan 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Enhance/improve an existing feature
Projects
Development

No branches or pull requests

2 participants