fix: allow other ssh ports using selinux #214
Conversation
|
Hey @guilieb, this looks good on first view. I'll like to check this manually since travis skips the selinux-tasks. |
|
Done 😉. Thanks for the review ! |
tasks/selinux.yml
Outdated
| state: present | ||
| with_items: | ||
| - "{{ ssh_server_ports }}" | ||
| when: ssh_server_ports != ['22'] |
There was a problem hiding this comment.
Let's remove this when-condition since the seport-module is idemopent and will not change anything here.
There was a problem hiding this comment.
It’s because I’m too impatient, I’d like to skip tasks if unnecessary. I’m changin' this !
|
Hey Guillaume, so I tested this and its still looking good! I added one additional comment and if this is taken care of its ready to be merged! |
|
Done 😉 |
|
There's a failure now for Centos 6 machines. So that's why I revamped the checking of selinux. With the following patch, the task should only run when SELinux is installed and activated: diff --git a/tasks/hardening.yml b/tasks/hardening.yml
index ed30320..9194495 100644
--- a/tasks/hardening.yml
+++ b/tasks/hardening.yml
@@ -71,13 +71,6 @@
- ssh_challengeresponseauthentication
- ssh_google_auth
-- name: test to see if selinux is installed and running
- command: getenforce
- register: sestatus
- failed_when: false
- changed_when: false
- check_mode: no
-
- name: include selinux specific tasks
include_tasks: selinux.yml
- when: sestatus.rc == 0
+ when: ansible_selinux and ansible_selinux.status != "disabled"
diff --git a/tasks/selinux.yml b/tasks/selinux.yml
index 531e459..0114625 100644
--- a/tasks/selinux.yml
+++ b/tasks/selinux.yml
@@ -57,7 +57,7 @@
- name: install selinux policy
command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
- when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
+ when: not ssh_use_pam and ansible_selinux != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
# See http://danwalsh.livejournal.com/12333.html for more infoCan you apply this patch to your PR and commit it, please? |
Signed-off-by: Guillaume Bernard <contact@guillaume-bernard.fr>
|
Done again ! |
|
Thanks! I'll have to make some additional changes, but I'll do these by myself. |
1 participant
Hi there 🙃
I encountered the same issue as described on #212. Whereas I don’t think tweaking the firewalld is a good idea because it adds dependencies, we should consider allowing ssh ports on SELinux policy if they differ from the default values.