public-health-ch/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml

---
- name: install selinux dependencies when selinux is installed
  package:
    name: '{{ ssh_selinux_packages }}'
    state: present

- name: authorize {{ ssh_server_ports }} ports for selinux
  seport:
    ports: '{{ item }}'
    proto: tcp
    setype: ssh_port_t
    state: present
  loop: '{{ ssh_server_ports }}'

- name: check if ssh_password module is already installed
  shell: 'set -o pipefail && semodule -l | grep ssh_password'
  args:
    executable: /bin/bash
  register: ssh_password_module
  failed_when: false
  changed_when: false
  check_mode: no

# The following tasks only get executed when selinux is in state enforcing,
# UsePam is 'no' and the ssh_password module is not installed. See this issue for
# more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
- when:
    - not (ssh_use_pam | bool)
    - ('ssh_password' not in ssh_password_module.stdout)
  block:
    - name: create selinux custom policy drop folder
      file:
        path: '{{ ssh_custom_selinux_dir }}'
        state: 'directory'
        owner: 'root'
        group: 'root'
        mode: '0750'

    - name: distributing custom selinux policies
      copy:
        src: 'ssh_password'
        dest: '{{ ssh_custom_selinux_dir }}'

    - name: check and compile policy
      command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password

    - name: create selinux policy module package
      command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod

    - name: install selinux policy
      command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp


# The following tasks only get executed when selinux is installed, UsePam is
# 'yes' and the ssh_password module is installed. See
# http://danwalsh.livejournal.com/12333.html for more info
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
  command: semodule -r ssh_password
  when:
    - ssh_use_pam | bool
    - ('ssh_password' in ssh_password_module.stdout)
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`---`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`- name: install selinux dependencies when selinux is installed`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`package:`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`name: '{{ ssh_selinux_packages }}'`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`state: present`

Ansible roles updated 2021-02-18 15:40:18 +00:00			`- name: authorize {{ ssh_server_ports }} ports for selinux`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`seport:`
			`ports: '{{ item }}'`
			`proto: tcp`
			`setype: ssh_port_t`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`state: present`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`loop: '{{ ssh_server_ports }}'`
Updated Ansible roles 2018-12-17 12:50:15 +00:00
			`- name: check if ssh_password module is already installed`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`shell: 'set -o pipefail && semodule -l \| grep ssh_password'`
			`args:`
			`executable: /bin/bash`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`register: ssh_password_module`
			`failed_when: false`
			`changed_when: false`
			`check_mode: no`

Ansible roles updated 2021-02-18 15:40:18 +00:00			`# The following tasks only get executed when selinux is in state enforcing,`
			`# UsePam is 'no' and the ssh_password module is not installed. See this issue for`
			`# more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23`
			`- when:`
			`- not (ssh_use_pam \| bool)`
			`- ('ssh_password' not in ssh_password_module.stdout)`
			`block:`
			`- name: create selinux custom policy drop folder`
			`file:`
			`path: '{{ ssh_custom_selinux_dir }}'`
			`state: 'directory'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0750'`

			`- name: distributing custom selinux policies`
			`copy:`
			`src: 'ssh_password'`
			`dest: '{{ ssh_custom_selinux_dir }}'`

			`- name: check and compile policy`
			`command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password`

			`- name: create selinux policy module package`
			`command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod`

			`- name: install selinux policy`
			`command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp`


			`# The following tasks only get executed when selinux is installed, UsePam is`
			`# 'yes' and the ssh_password module is installed. See`
			`# http://danwalsh.livejournal.com/12333.html for more info`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`command: semodule -r ssh_password`
Ansible roles updated 2021-02-18 15:40:18 +00:00			`when:`
			`- ssh_use_pam \| bool`
			`- ('ssh_password' in ssh_password_module.stdout)`