CentOS SELinux fixes (ptpvsock, ptp4l) and hardening profile fix#836
CentOS SELinux fixes (ptpvsock, ptp4l) and hardening profile fix#836matosatti wants to merge 3 commits intoseapath:mainfrom
Conversation
The systemd sshd file path is different for CentOS. Also, sshd systemd unit, on CentOS, does not depend on auditd.service. Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Otherwise SELinux denies execution at /var/lib/ptp. Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Add SELinux rules allowing ptp4l to use sendto system call. Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
| set_fact: | ||
| ssh_service_path: "/lib/systemd/system/ssh.service" | ||
| ssh_service_newline: "After=network.target auditd.service network-online.target" | ||
| when: seapath_distro != "CentOS" |
There was a problem hiding this comment.
The debian_hardening role is supposed to be a Debian-only role.
You should create a centos_hardening role for CentOS.
If you think more than 80% of the code is common, maybe we can change this role to be a generic hardening role for all distros.
There was a problem hiding this comment.
@dupremathieu i believe more than 80% of the code is common.
Can't we proceed to modify the Debian hardening profile into something that applies to CentOS as well (which will probably work for OracleLinux as well, but needs testing), and then rename it ? (debian_hardening -> hardening).
The steps are mostly generic.
There was a problem hiding this comment.
Yes, we can definitely do that.
Do you know if your commits are the only adjustment we need to have the hardening roles working on both Debian and CentOS?
2 participants
Allow ptpvsock and ptp4l to execute (by adding SELinux rules), and
fix the debian hardening profile addition of sshd wait for DNS.