From 165b21d69675f15abbdbb124ce55239dda5282ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 20 Jan 2025 16:45:47 +0100 Subject: [PATCH] cluster: check both SELinux status and config --- pkg/cluster/manager/check.go | 2 +- pkg/cluster/operation/check.go | 39 ++++++++++++++++++++++++++++------ pkg/cluster/task/check.go | 3 ++- 3 files changed, 35 insertions(+), 9 deletions(-) diff --git a/pkg/cluster/manager/check.go b/pkg/cluster/manager/check.go index 72a4d5997e..453a19ca2f 100644 --- a/pkg/cluster/manager/check.go +++ b/pkg/cluster/manager/check.go @@ -671,7 +671,7 @@ func fixFailedChecks(host string, res *operator.CheckResult, t *task.Builder, sy } t.Limit(host, fields[0], fields[1], fields[2], fields[3], sudo) msg = fmt.Sprintf("will try to set '%s'", color.HiBlueString(res.Msg)) - case operator.CheckNameSELinux: + case operator.CheckNameSELinuxConf, operator.CheckNameSELinuxStatus: t.Shell(host, fmt.Sprintf( "sed -i 's/^[[:blank:]]*SELINUX=enforcing/SELINUX=disabled/g' %s && %s", diff --git a/pkg/cluster/operation/check.go b/pkg/cluster/operation/check.go index f4ca75b764..0c70a72725 100644 --- a/pkg/cluster/operation/check.go +++ b/pkg/cluster/operation/check.go @@ -59,7 +59,8 @@ var ( CheckNameNet = "network" CheckNameLimits = "limits" CheckNameSysService = "service" - CheckNameSELinux = "selinux" + CheckNameSELinuxConf = "selinux_conf" + CheckNameSELinuxStatus = "selinux_status" CheckNameCommand = "command" CheckNameFio = "fio" CheckNameTHP = "thp" @@ -567,10 +568,10 @@ func CheckServices(ctx context.Context, e ctxt.Executor, host, service string, d return result } -// CheckSELinux checks if SELinux is enabled on the host -func CheckSELinux(ctx context.Context, e ctxt.Executor, sudo bool) *CheckResult { +// CheckSELinuxConf checks if SELinux is enabled on the host +func CheckSELinuxConf(ctx context.Context, e ctxt.Executor, sudo bool) *CheckResult { result := &CheckResult{ - Name: CheckNameSELinux, + Name: CheckNameSELinuxConf, } m := module.NewShellModule(module.ShellModuleConfig{ // ignore grep errors, the file may not exist for some systems @@ -591,9 +592,33 @@ func CheckSELinux(ctx context.Context, e ctxt.Executor, sudo bool) *CheckResult } if lines > 0 { - result.Err = fmt.Errorf("SELinux is not disabled") - } else { - result.Msg = "SELinux is disabled" + result.Err = fmt.Errorf("SELinux is not configured to be disabled") + return result + } + result.Msg = "SELinux is disabled in configuration" + return result +} + +// CheckSELinuxStatus checks if SELinux is enabled on the host +func CheckSELinuxStatus(ctx context.Context, e ctxt.Executor, sudo bool) *CheckResult { + result := &CheckResult{ + Name: CheckNameSELinuxStatus, + } + m := module.NewShellModule(module.ShellModuleConfig{ + Command: "getenforce", + Sudo: sudo, + }) + stdout, stderr, err := m.Execute(ctx, e) + if err != nil { + result.Err = fmt.Errorf("%w %s", err, stderr) + return result + } + out := strings.Trim(string(stdout), "\n") + if out == "Enforcing" { + result.Err = fmt.Errorf("SELinux is in Enforcing mode, Update the configuration and reboot") + } else if out == "Permissive" { + result.Err = fmt.Errorf("SELinux is in Permissive mode, disabling is recommended") + result.Warn = true } return result } diff --git a/pkg/cluster/task/check.go b/pkg/cluster/task/check.go index e08c18ce26..b370c6e833 100644 --- a/pkg/cluster/task/check.go +++ b/pkg/cluster/task/check.go @@ -85,7 +85,8 @@ func (c *CheckSys) Execute(ctx context.Context) error { } results = append( results, - operator.CheckSELinux(ctx, e, sudo), + operator.CheckSELinuxConf(ctx, e, sudo), + operator.CheckSELinuxStatus(ctx, e, sudo), operator.CheckTHP(ctx, e, sudo), ) storeResults(ctx, c.host, results)