def process(self):
for fact in self.consume(SELinuxFacts):
enabled = fact.enabled
conf_status = fact.static_mode
if conf_status == 'disabled':
if enabled:
self.produce_info(
'Pass',
'SElinux disabled in configuration file but currently enabled',
'This message is to inform user about non-standard SElinux configuration'
)
self.produce_info('Pass', 'SElinux disabled',
'SElinux disabled, continuing...')
return
if conf_status in ('enforcing', 'permissive'):
self.produce(SelinuxRelabelDecision(set_relabel=True))
self.produce_info(
'Fixed', 'Schedule SElinux relabeling',
'Schedule SElinux relabeling as the status was permissive/enforcing'
)
if conf_status == 'enforcing':
self.produce(SelinuxPermissiveDecision(set_permissive=True))
self.produce_info(
'Fixed', 'SElinux will be set to permissive mode',
'SElinux will be set to permissive mode as it was in enforcing mode'
)
def process(self):
fact = next(self.consume(SELinuxFacts), None)
if not fact:
return
enabled = fact.enabled
conf_status = fact.static_mode
if conf_status == 'disabled':
if enabled:
create_report([
reporting.Title(
'SElinux disabled in configuration file but currently enabled'
),
reporting.Summary(
'This message is to inform user about non-standard SElinux configuration.'
),
reporting.Severity(reporting.Severity.LOW),
reporting.Tags(
[reporting.Tags.SELINUX, reporting.Tags.SECURITY])
])
create_report([
reporting.Title('SElinux disabled'),
reporting.Summary('SElinux disabled, continuing...'),
reporting.Tags(
[reporting.Tags.SELINUX, reporting.Tags.SECURITY])
])
return
if conf_status in ('enforcing', 'permissive'):
self.produce(SelinuxRelabelDecision(set_relabel=True))
create_report([
reporting.Title('SElinux relabeling has been scheduled'),
reporting.Summary(
'SElinux relabeling has been scheduled as the status was permissive/enforcing.'
),
reporting.Severity(reporting.Severity.INFO),
reporting.Tags(
[reporting.Tags.SELINUX, reporting.Tags.SECURITY])
])
if conf_status == 'enforcing':
self.produce(SelinuxPermissiveDecision(set_permissive=True))
create_report([
reporting.Title('SElinux will be set to permissive mode'),
reporting.Summary(
'SElinux will be set to permissive mode. Current mode: enforcing. This action is '
'required by the upgrade process'),
reporting.Severity(reporting.Severity.LOW),
reporting.Tags(
[reporting.Tags.SELINUX, reporting.Tags.SECURITY])
])
def process(self):
fact = next(self.consume(SELinuxFacts), None)
if not fact:
return
enabled = fact.enabled
conf_status = fact.static_mode
if conf_status == 'disabled':
if enabled:
report_generic(
title=
'SElinux disabled in configuration file but currently enabled',
summary=
'This message is to inform user about non-standard SElinux configuration.',
severity='low')
report_generic(title='SElinux disabled',
summary='SElinux disabled, continuing...',
severity='low')
return
if conf_status in ('enforcing', 'permissive'):
self.produce(SelinuxRelabelDecision(set_relabel=True))
report_generic(
title='Schedule SElinux relabeling',
summary=
'Schedule SElinux relabeling as the status was permissive/enforcing.',
severity='low')
if conf_status == 'enforcing':
self.produce(SelinuxPermissiveDecision(set_permissive=True))
report_generic(
title='SElinux will be set to permissive mode',
summary=
'SElinux will be set to permissive mode as it was in enforcing mode.',
severity='low')
def process():
facts = next(api.consume(SELinuxFacts), None)
if not facts:
return
enabled = facts.enabled
conf_status = facts.static_mode
if conf_status == 'disabled':
if get_target_major_version() == '9':
api.produce(KernelCmdlineArg(key='selinux', value='0'))
reporting.create_report([
reporting.Title('LEAPP detected SELinux disabled in "/etc/selinux/config"'),
reporting.Summary(
'On RHEL 9, disabling SELinux in "/etc/selinux/config" is no longer possible. '
'This way, the system starts with SELinux enabled but with no policy loaded. LEAPP '
'will automatically disable SELinux using "SELINUX=0" kernel command line parameter. '
'However, Red Hat strongly recommends to have SELinux enabled'
),
reporting.Severity(reporting.Severity.INFO),
reporting.Tags([reporting.Tags.SELINUX]),
reporting.RelatedResource('file', '/etc/selinux/config'),
reporting.ExternalLink(url=DOC_URL, title='Disabling SELinux'),
])
if enabled:
reporting.create_report([
reporting.Title('SElinux should be disabled based on the configuration file but it is enabled'),
reporting.Summary(
'This message is to inform user about non-standard SElinux configuration. Please check '
'"/etc/selinux/config" to see whether the configuration is set as expected.'
),
reporting.Severity(reporting.Severity.LOW),
reporting.Tags([reporting.Tags.SELINUX, reporting.Tags.SECURITY])
])
reporting.create_report([
reporting.Title('SElinux disabled'),
reporting.Summary('SElinux disabled, continuing...'),
reporting.Tags([reporting.Tags.SELINUX, reporting.Tags.SECURITY])
])
return
if conf_status in ('enforcing', 'permissive'):
api.produce(SelinuxRelabelDecision(set_relabel=True))
reporting.create_report([
reporting.Title('SElinux relabeling will be scheduled'),
reporting.Summary('SElinux relabeling will be scheduled as the status is permissive/enforcing.'),
reporting.Severity(reporting.Severity.INFO),
reporting.Tags([reporting.Tags.SELINUX, reporting.Tags.SECURITY])
])
if conf_status == 'enforcing':
api.produce(SelinuxPermissiveDecision(
set_permissive=True))
reporting.create_report([
reporting.Title('SElinux will be set to permissive mode'),
reporting.Summary(
'SElinux will be set to permissive mode. Current mode: enforcing. This action is '
'required by the upgrade process to make sure the upgraded system can boot without '
'beinig blocked by SElinux rules.'
),
reporting.Severity(reporting.Severity.LOW),
reporting.Remediation(hint=(
'Make sure there are no SElinux related warnings after the upgrade and enable SElinux '
'manually afterwards. Notice: You can ignore the "/root/tmp_leapp_py3" SElinux warnings.'
)
),
reporting.Tags([reporting.Tags.SELINUX, reporting.Tags.SECURITY])
])
def test_set_selinux_permissive(current_actor_context):
current_actor_context.feed(SelinuxPermissiveDecision(set_permissive=True))
current_actor_context.run()
assert check_permissive_in_conf()