Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL-08-020027 failed #87

Closed
PrymalInstynct opened this issue Feb 23, 2022 · 3 comments · Fixed by #98
Closed

RHEL-08-020027 failed #87

PrymalInstynct opened this issue Feb 23, 2022 · 3 comments · Fixed by #98
Labels
bug Something isn't working

Comments

@PrymalInstynct
Copy link

Describe the Issue
RHEL-08-020027 failed with no changed to defaults/main.yml

FAILED! => {"changed": true, "cmd": "semanage fcontext -m -t faillog_t -s system_u /var/log/faillock", "delta": "0:00:02.776896", "end": "2022-02-23 09:42:41.815114", "msg": "non-zero return code", "rc": 1, "start": "2022-02-23 09:42:39.038218", "stderr": "ValueError: File context for /var/log/faillock is not defined", "stderr_lines": ["ValueError: File context for /var/log/faillock is not defined"], "stdout": "", "stdout_lines": []}

Expected Behavior
I expect the task to pass without errors

Actual Behavior
tasks fail

Control(s) Affected
RHEL-08-020027

Environment (please complete the following information):

  • Ansible Version: 2.12.2
  • Host Python Version: Python 3.6.8
  • Ansible Server Python Version: Python 3.8.10
  • Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
The tasks for this STIG seem a bit complicated I have tested the following and it worked
The directory gets created with the correct context and then the fcontext gets added so the change is permanent when running restorecon

      - name: Part 1
        file:
            path: "{{ rhel8stig_pam_faillock.dir }}"
            owner: root
            group: root
            mode: '0700'
            state: directory
            recurse: yes
            setype: faillog_t

      - name: Part 2
        sefcontext:
            target: "{{ rhel8stig_pam_faillock.dir }}"
            ftype: d
            setype: faillog_t
            state: present
@PrymalInstynct PrymalInstynct added the bug Something isn't working label Feb 23, 2022
georgenalen added a commit that referenced this issue Mar 4, 2022
@georgenalen
updated 020027 prelim file task for issue #87
4169514 
Signed-off-by: George Nalen <[email protected]>
@georgenalen georgenalen mentioned this issue Mar 10, 2022
Merged
@georgenalen georgenalen linked a pull request Mar 10, 2022 that will close this issue
updated 020027 prelim file task for issue #87 #98
Merged
georgenalen added a commit that referenced this issue Mar 11, 2022
@georgenalen
Merge pull request #98 from ansible-lockdown/issue_87_fix
67bf830 
updated 020027 prelim file task for issue #87
@uk-bolly uk-bolly mentioned this issue Apr 19, 2022
Merged
@bbaassssiiee
Copy link
Member

I noticed this happened on a RHEL8.5 kickstarted with the STIG hardening and applying this role from devel.
Workaround still works https://issuehint.com/issue/ansible-lockdown/RHEL8-STIG/87

@Rwarcards762
Copy link

FWIW, on RHEL 8.6 but using Ansible 2.9, this fails unless recurse: true is changed to recurse: yes. Not sure if this is intended behavior or not.

@bbaassssiiee
Copy link
Member

Using yes for Boolean values is a regression.
Yaml 1.2 mandates true/false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

updated 020027 prelim file task for issue #87 ansible-lockdown/RHEL8-STIG
3 participants
@bbaassssiiee @Rwarcards762 @PrymalInstynct