Search for unlabeled device files

The checks for V-51379 didn't apply for Ubuntu and they were unintentionally skipped in CentOS after the multi-distro work was completed. This patch adds a search for unlabeled device files on CentOS 7 systems and halts the playbook if an unlabeled device is found. This is a very rare occurrence. Documentation updates and release notes are provided. Closes-bug: 1584196 Change-Id: Iba4be3bc5fa607685e3b4eeefda35f93894c7f28
2016-06-01 13:22:12 -05:00 · 2016-06-01 13:22:12 -05:00 · bf28fdfe90
parent 31424a42af
commit bf28fdfe90
3 changed files with 35 additions and 5 deletions
--- a/doc/source/developer-notes/V-51379.rst
+++ b/doc/source/developer-notes/V-51379.rst
@ -1,7 +1,10 @@
-**Exception**
+**Exception for Ubuntu**
+
+The security role will search for unlabeled devices on CentOS and the playbook
+will fail with an error message if any unlabeled devices are found.

 Although SELinux works through a labeling system where every file (including
-devices) receive a label, AppArmor works purely through policies without
-labels. However, openstack-ansible does configure several AppArmor policies
-to reduce the chances and impact of LXC container breakouts on OpenStack
-hosts.
+devices) receives a label, AppArmor on Ubuntu works purely through policies
+without labels. However, OpenStack-Ansible does configure several AppArmor
+policies to reduce the chances and impact of LXC container breakouts on
+OpenStack hosts.
--- a/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml
+++ b/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Tasks were added to search for any device files without a proper SELinux
+    label on CentOS systems. If any of these device labels are found, the
+    playbook execution will stop with an error message.
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@ -412,3 +412,24 @@
  tags:
    - cat2
    - V-38674
+
+- name: Check for unlabeled device files (for V-51379)
+  shell: "find /dev -context '*unlabeled_t*'"
+  register: v51379_unlabeled_devices
+  always_run: True
+  when:
+    - ansible_os_family == 'RedHat'
+  tags:
+    - cat1
+    - V-51379
+
+- name: V-51379 - All device files must be monitored by the Linux Security Module
+  fail:
+    msg: "Devices were found without SELinux labels: {{ v51379_unlabeled_devices.stdout_lines | join(', ') }}"
+  when:
+    - ansible_os_family == 'RedHat'
+    - v51379_unlabeled_devices.stdout is defined
+    - v51379_unlabeled_devices.stdout | length > 0
+  tags:
+    - cat1
+    - V-51379