Search for unlabeled device files
The checks for V-51379 didn't apply for Ubuntu and they were unintentionally skipped in CentOS after the multi-distro work was completed. This patch adds a search for unlabeled device files on CentOS 7 systems and halts the playbook if an unlabeled device is found. This is a very rare occurrence. Documentation updates and release notes are provided. Closes-bug: 1584196 Change-Id: Iba4be3bc5fa607685e3b4eeefda35f93894c7f28
This commit is contained in:
Major Hayden
parent
31424a42af
commit
bf28fdfe90
@ -1,7 +1,10 @@
|
|||||||
**Exception**
|
**Exception for Ubuntu**
|
||||||
|
|
||||||
|
The security role will search for unlabeled devices on CentOS and the playbook
|
||||||
|
will fail with an error message if any unlabeled devices are found.
|
||||||
|
|
||||||
Although SELinux works through a labeling system where every file (including
|
Although SELinux works through a labeling system where every file (including
|
||||||
devices) receive a label, AppArmor works purely through policies without
|
devices) receives a label, AppArmor on Ubuntu works purely through policies
|
||||||
labels. However, openstack-ansible does configure several AppArmor policies
|
without labels. However, OpenStack-Ansible does configure several AppArmor
|
||||||
to reduce the chances and impact of LXC container breakouts on OpenStack
|
policies to reduce the chances and impact of LXC container breakouts on
|
||||||
hosts.
|
OpenStack hosts.
|
||||||
|
|||||||
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Tasks were added to search for any device files without a proper SELinux
|
||||||
|
label on CentOS systems. If any of these device labels are found, the
|
||||||
|
playbook execution will stop with an error message.
|
||||||
@ -412,3 +412,24 @@
|
|||||||
tags:
|
tags:
|
||||||
- cat2
|
- cat2
|
||||||
- V-38674
|
- V-38674
|
||||||
|
|
||||||
|
- name: Check for unlabeled device files (for V-51379)
|
||||||
|
shell: "find /dev -context '*unlabeled_t*'"
|
||||||
|
register: v51379_unlabeled_devices
|
||||||
|
always_run: True
|
||||||
|
when:
|
||||||
|
- ansible_os_family == 'RedHat'
|
||||||
|
tags:
|
||||||
|
- cat1
|
||||||
|
- V-51379
|
||||||
|
|
||||||
|
- name: V-51379 - All device files must be monitored by the Linux Security Module
|
||||||
|
fail:
|
||||||
|
msg: "Devices were found without SELinux labels: {{ v51379_unlabeled_devices.stdout_lines | join(', ') }}"
|
||||||
|
when:
|
||||||
|
- ansible_os_family == 'RedHat'
|
||||||
|
- v51379_unlabeled_devices.stdout is defined
|
||||||
|
- v51379_unlabeled_devices.stdout | length > 0
|
||||||
|
tags:
|
||||||
|
- cat1
|
||||||
|
- V-51379
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user