You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Every time this role is run with nginx_selinux set to true, the sequence of tasks in setup-selinux.yml sets SELinux to permissive and, after completing a few tasks, it switches it back to enforcing.
This happens even if the system is already in the desired state, which seems to be a security issue since this means that SELinux is disabled, even though for a short time, for no reason.
Moreover, even if I am not entirely sure about it, none of the tasks in the file linked above seem to require SELinux to be set to permissive even when the role is required to make changes to the system.
To reproduce
Run the role on a RHEL-based or RHEL-compatible OS (e.g. RHEL, AlmaLinux, etc.) with SELinux running and the nginx_selinux role variable set to true.
Expected behavior
SELinux should always remain in enforcing mode unless the nginx_selinux_enforcing role variable is set to false.
Your environment
Version of nginxinc.nginx_core: 0.8.0 (ansible-role-nginx: 0.24.0)
Version of Ansible: 9.1.0
Target deployment platform: AlmaLinux 8.9
Additional context
N/A
The text was updated successfully, but these errors were encountered:
You might be right. To be honest, anything SELinux related wasn't really implemented by me and isn't properly tested as of today since there's no real way to test it in the current container heavy test environment. However, based on my experience when running the role against RHEL machines, there are indeed some changes that would not work without setting SELinux to permissive.
That being said, changing the default to keep SELinux in enforcing mode makes sense to me!
Describe the bug
Every time this role is run with
nginx_selinux
set totrue
, the sequence of tasks in setup-selinux.yml sets SELinux topermissive
and, after completing a few tasks, it switches it back toenforcing
.This happens even if the system is already in the desired state, which seems to be a security issue since this means that SELinux is disabled, even though for a short time, for no reason.
Moreover, even if I am not entirely sure about it, none of the tasks in the file linked above seem to require SELinux to be set to permissive even when the role is required to make changes to the system.
To reproduce
Run the role on a RHEL-based or RHEL-compatible OS (e.g. RHEL, AlmaLinux, etc.) with SELinux running and the
nginx_selinux
role variable set totrue
.Expected behavior
SELinux should always remain in
enforcing
mode unless thenginx_selinux_enforcing
role variable is set tofalse
.Your environment
Additional context
N/A
The text was updated successfully, but these errors were encountered: