Bug 1601929

Summary: Ansible remediation setting SELinux policy fails [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.5CC: jcerny, jvilicic, matyc, mhaicman, mjahoda, mpreisle, mthacker, openscap-maint, shawn, wsato
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.36-10.el7_5 Doc Type: Bug Fix
Doc Text:
Previously, the playbook for setting SELinux policy did not include the "state" parameter to the Ansible SELinux module. As a consequence, remediation playbooks generated by the oscap command failed to set the SELinux policy accordingly to the "var_selinux_policy_name" variable. With this update, the remediation playbook has been changed to use the "lineinfile" module, and it can now correctly set the SELinux policy as defined in "var_selinux_policy_name".
 Story Points: ---
Clone Of: 1592970 Environment:
Last Closed: 2018-09-25 19:05:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1592970    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-07-17 13:41:54 UTC 
This bug has been copied from bug #1592970 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 3 Marek Haicman 2018-09-16 19:07:55 UTC 
Verified version scap-security-guide-0.1.36-10.el7_5 contains required fix.

OLD (scap-security-guide-0.1.36-9.el7_5):
grep -C3 '{{ var_selinux_state }}' /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

- name: "Ensure SELinux State is Enforcing"
  selinux:
    state: "{{ var_selinux_state }}"
  tags:
    - selinux_state
    - high_severity
--

- name: "Ensure SELinux State is Enforcing"
  selinux:
    state: "{{ var_selinux_state }}"
  tags:
    - selinux_state
    - high_severity


NEW (scap-security-guide-0.1.36-10.el7_5):
grep -C3 '{{ var_selinux_state }}' /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
  lineinfile:
    path: /etc/sysconfig/selinux
    regexp: '^SELINUX='
    line: "SELINUX={{ var_selinux_state }}"
    create: yes
  tags:
    - selinux_state
--
  lineinfile:
    path: /etc/sysconfig/selinux
    regexp: '^SELINUX='
    line: "SELINUX={{ var_selinux_state }}"
    create: yes
  tags:
    - selinux_state
Comment 5 errata-xmlrpc 2018-09-25 19:05:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2752