Blame SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch

c862b5
From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
c862b5
From: Gabriel Becker <ggasparb@redhat.com>
c862b5
Date: Tue, 26 May 2020 17:49:21 +0200
c862b5
Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
c862b5
c862b5
Affected rules:
c862b5
 - selinux_policytype
c862b5
 - selinux_state
c862b5
---
c862b5
 .../selinux/selinux_policytype/ansible/shared.yml |  9 ++-------
c862b5
 .../selinux/selinux_policytype/bash/shared.sh     |  5 +++--
c862b5
 .../tests/selinuxtype_minimum.fail.sh             | 10 ++++++++++
c862b5
 .../selinux/selinux_state/ansible/shared.yml      |  9 ++-------
c862b5
 .../system/selinux/selinux_state/bash/shared.sh   |  5 +++--
c862b5
 .../selinux_state/tests/selinux_missing.fail.sh   |  5 +++++
c862b5
 .../tests/selinux_permissive.fail.sh              | 10 ++++++++++
c862b5
 shared/macros-ansible.jinja                       | 11 +++++++++++
c862b5
 shared/macros-bash.jinja                          | 15 +++++++++++++++
c862b5
 9 files changed, 61 insertions(+), 18 deletions(-)
c862b5
 create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
c862b5
 create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
c862b5
 create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
c862b5
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
c862b5
index 5c70cc9f7f..9f8cf66dfb 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
c862b5
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
c862b5
@@ -3,11 +3,6 @@
c862b5
 # strategy = restrict
c862b5
 # complexity = low
c862b5
 # disruption = low
c862b5
 - (xccdf-var var_selinux_policy_name)
c862b5
 
c862b5
-- name: "{{{ rule_title }}}"
c862b5
-  lineinfile:
c862b5
-    path: /etc/sysconfig/selinux
c862b5
-    regexp: '^SELINUXTYPE='
c862b5
-    line: "SELINUXTYPE={{ var_selinux_policy_name }}"
c862b5
-    create: yes
c862b5
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
c862b5
index d0fbbf4446..2b5ce31b12 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
c862b5
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
c862b5
@@ -1,7 +1,8 @@
c862b5
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
c862b5
-#
c862b5
+
c862b5
 # Include source function library.
c862b5
 . /usr/share/scap-security-guide/remediation_functions
c862b5
+
c862b5
 populate var_selinux_policy_name
c862b5
 
c862b5
-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
c862b5
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
c862b5
new file mode 100644
c862b5
index 0000000000..1a6eb94953
c862b5
--- /dev/null
c862b5
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
c862b5
@@ -0,0 +1,10 @@
c862b5
+#!/bin/bash
c862b5
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
c862b5
+
c862b5
+SELINUX_FILE='/etc/selinux/config'
c862b5
+
c862b5
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
c862b5
+	sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
c862b5
+else
c862b5
+	echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
c862b5
+fi
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
c862b5
index b465ac6729..1c1560a86c 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
c862b5
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
c862b5
@@ -3,11 +3,6 @@
c862b5
 # strategy = restrict
c862b5
 # complexity = low
c862b5
 # disruption = low
c862b5
 - (xccdf-var var_selinux_state)
c862b5
 
c862b5
-- name: "{{{ rule_title }}}"
c862b5
-  lineinfile:
c862b5
-    path: /etc/sysconfig/selinux
c862b5
-    regexp: '^SELINUX='
c862b5
-    line: "SELINUX={{ var_selinux_state }}"
c862b5
-    create: yes
c862b5
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
c862b5
index 58193b5504..a402a861d7 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
c862b5
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
c862b5
@@ -1,10 +1,11 @@
c862b5
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
c862b5
-#
c862b5
+
c862b5
 # Include source function library.
c862b5
 . /usr/share/scap-security-guide/remediation_functions
c862b5
+
c862b5
 populate var_selinux_state
c862b5
 
c862b5
-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
c862b5
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
c862b5
 
c862b5
 fixfiles onboot
c862b5
 fixfiles -f relabel
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
c862b5
new file mode 100644
c862b5
index 0000000000..180dd80791
c862b5
--- /dev/null
c862b5
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
c862b5
@@ -0,0 +1,5 @@
c862b5
+#!/bin/bash
c862b5
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
c862b5
+
c862b5
+SELINUX_FILE='/etc/selinux/config'
c862b5
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
c862b5
new file mode 100644
c862b5
index 0000000000..3db1e56b5f
c862b5
--- /dev/null
c862b5
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
c862b5
@@ -0,0 +1,10 @@
c862b5
+#!/bin/bash
c862b5
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
c862b5
+
c862b5
+SELINUX_FILE='/etc/selinux/config'
c862b5
+
c862b5
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
c862b5
+	sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
c862b5
+else
c862b5
+	echo 'SELINUX=permissive' >> $SELINUX_FILE
c862b5
+fi
c862b5
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
c862b5
index 6798a25d1f..01d3155b37 100644
c862b5
--- a/shared/macros-ansible.jinja
c862b5
+++ b/shared/macros-ansible.jinja
c862b5
@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
c862b5
 {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
c862b5
 {{%- endmacro %}}
c862b5
 
c862b5
+{{#
c862b5
+  High level macro to set a parameter in /etc/selinux/config.
c862b5
+  Parameters:
c862b5
+  - msg: the name for the Ansible task
c862b5
+  - parameter: parameter to be set in the configuration file
c862b5
+  - value: value of the parameter
c862b5
+#}}
c862b5
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
c862b5
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
c862b5
+{{%- endmacro %}}
c862b5
+
c862b5
 {{#
c862b5
   Generates an Ansible task that puts 'contents' into a file at 'filepath'
c862b5
   Parameters:
c862b5
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
c862b5
index 3a94fe5dd8..2531d1c52d 100644
c862b5
--- a/shared/macros-bash.jinja
c862b5
+++ b/shared/macros-bash.jinja
c862b5
@@ -86,6 +86,21 @@ populate {{{ name }}}
c862b5
     }}}
c862b5
 {{%- endmacro -%}}
c862b5
 
c862b5
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
c862b5
+{{{ set_config_file(
c862b5
+        path="/etc/selinux/config",
c862b5
+        parameter=parameter,
c862b5
+        value=value,
c862b5
+        create=true,
c862b5
+        insert_after="",
c862b5
+        insert_before="",
c862b5
+        insensitive=true,
c862b5
+        separator="=",
c862b5
+        separator_regex="\s*=\s*",
c862b5
+        prefix_regex="^\s*")
c862b5
+    }}}
c862b5
+{{%- endmacro -%}}
c862b5
+
c862b5
 {{#
c862b5
 # Install a package
c862b5
 # Uses the right command based on pkg_manger proprerty defined in product.yaml.
c862b5
c862b5
From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
c862b5
From: Gabriel Becker <ggasparb@redhat.com>
c862b5
Date: Wed, 27 May 2020 18:48:57 +0200
c862b5
Subject: [PATCH 2/2] Remediation requires reboot.
c862b5
c862b5
Update OVAL check to disallow spaces.
c862b5
Removed selinuxtype_minimum test scenario since breaks the system.
c862b5
---
c862b5
 .../selinux/selinux_policytype/ansible/shared.yml      |  2 +-
c862b5
 .../system/selinux/selinux_policytype/bash/shared.sh   |  4 ++++
c862b5
 .../system/selinux/selinux_policytype/oval/shared.xml  |  2 +-
c862b5
 .../tests/selinuxtype_minimum.fail.sh                  | 10 ----------
c862b5
 .../guide/system/selinux/selinux_state/bash/shared.sh  |  4 ++++
c862b5
 .../guide/system/selinux/selinux_state/oval/shared.xml |  2 +-
c862b5
 shared/macros-ansible.jinja                            |  2 +-
c862b5
 shared/macros-bash.jinja                               |  4 ++--
c862b5
 8 files changed, 14 insertions(+), 16 deletions(-)
c862b5
 delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
c862b5
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
c862b5
index 9f8cf66dfb..73e6ec7cd4 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
c862b5
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
c862b5
@@ -1,5 +1,5 @@
c862b5
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
c862b5
-# reboot = false
c862b5
+# reboot = true
c862b5
 # strategy = restrict
c862b5
 # complexity = low
c862b5
 # disruption = low
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
c862b5
index 2b5ce31b12..b4f79c97f9 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
c862b5
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
c862b5
@@ -1,4 +1,8 @@
c862b5
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
c862b5
+# reboot = true
c862b5
+# strategy = restrict
c862b5
+# complexity = low
c862b5
+# disruption = low
c862b5
 
c862b5
 # Include source function library.
c862b5
 . /usr/share/scap-security-guide/remediation_functions
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
c862b5
index f1840a1290..3d69fff07f 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
c862b5
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
c862b5
@@ -27,7 +27,7 @@
c862b5
 
c862b5
   <ind:textfilecontent54_object id="obj_selinux_policy" version="1">
c862b5
     <ind:filepath>/etc/selinux/config</ind:filepath>
c862b5
-    <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
c862b5
+    <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
c862b5
     <ind:instance datatype="int">1</ind:instance>
c862b5
   </ind:textfilecontent54_object>
c862b5
 </def-group>
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
c862b5
deleted file mode 100644
c862b5
index 1a6eb94953..0000000000
c862b5
--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
c862b5
+++ /dev/null
c862b5
@@ -1,10 +0,0 @@
c862b5
-#!/bin/bash
c862b5
-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
c862b5
-
c862b5
-SELINUX_FILE='/etc/selinux/config'
c862b5
-
c862b5
-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
c862b5
-	sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
c862b5
-else
c862b5
-	echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
c862b5
-fi
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
c862b5
index a402a861d7..645a7acab4 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
c862b5
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
c862b5
@@ -1,4 +1,8 @@
c862b5
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
c862b5
+# reboot = true
c862b5
+# strategy = restrict
c862b5
+# complexity = low
c862b5
+# disruption = low
c862b5
 
c862b5
 # Include source function library.
c862b5
 . /usr/share/scap-security-guide/remediation_functions
c862b5
diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
c862b5
index c0881696e1..8c328060af 100644
c862b5
--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
c862b5
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
c862b5
@@ -18,7 +18,7 @@
c862b5
 
c862b5
   <ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
c862b5
     <ind:filepath>/etc/selinux/config</ind:filepath>
c862b5
-    <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
c862b5
+    <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
c862b5
     <ind:instance datatype="int">1</ind:instance>
c862b5
   </ind:textfilecontent54_object>
c862b5
 
c862b5
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
c862b5
index 01d3155b37..580a0b948e 100644
c862b5
--- a/shared/macros-ansible.jinja
c862b5
+++ b/shared/macros-ansible.jinja
c862b5
@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
c862b5
   - value: value of the parameter
c862b5
 #}}
c862b5
 {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
c862b5
-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
c862b5
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
c862b5
 {{%- endmacro %}}
c862b5
 
c862b5
 {{#
c862b5
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
c862b5
index 2531d1c52d..8abcc914d3 100644
c862b5
--- a/shared/macros-bash.jinja
c862b5
+++ b/shared/macros-bash.jinja
c862b5
@@ -96,8 +96,8 @@ populate {{{ name }}}
c862b5
         insert_before="",
c862b5
         insensitive=true,
c862b5
         separator="=",
c862b5
-        separator_regex="\s*=\s*",
c862b5
-        prefix_regex="^\s*")
c862b5
+        separator_regex="=",
c862b5
+        prefix_regex="^")
c862b5
     }}}
c862b5
 {{%- endmacro -%}}
c862b5