Skip to content

CentOS SELinux fixes (ptpvsock, ptp4l) and hardening profile fix #836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
matosatti wants to merge 3 commits into
base: main
Choose a base branch
from
Open

CentOS SELinux fixes (ptpvsock, ptp4l) and hardening profile fix #836

matosatti wants to merge 3 commits into from

Conversation

@matosatti
Copy link
Contributor

@matosatti matosatti commented Dec 3, 2025

Allow ptpvsock and ptp4l to execute (by adding SELinux rules), and
fix the debian hardening profile addition of sshd wait for DNS.

@matosatti
Fix ssh service dependency on network.online in CentOS
5a1bec9 
The systemd sshd file path is different for CentOS.

Also, sshd systemd unit, on CentOS, does not depend on auditd.service.

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
@matosatti
Add SELinux rules for ptp_status_vsock
80719da 
Otherwise SELinux denies execution at /var/lib/ptp.

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
@matosatti
Add SELinux rules for ptp4l
08fcce3 
Add SELinux rules allowing ptp4l to use sendto system call.

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
dupremathieu
dupremathieu reviewed Dec 3, 2025
View reviewed changes
roles/debian_hardening/tasks/main.yml
set_fact:
ssh_service_path: "/lib/systemd/system/ssh.service"
ssh_service_newline: "After=network.target auditd.service network-online.target"
when: seapath_distro != "CentOS"
Copy link
Member

@dupremathieu dupremathieu Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The debian_hardening role is supposed to be a Debian-only role.

You should create a centos_hardening role for CentOS.

If you think more than 80% of the code is common, maybe we can change this role to be a generic hardening role for all distros.

Copy link
Contributor Author

@matosatti matosatti Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dupremathieu i believe more than 80% of the code is common.

Can't we proceed to modify the Debian hardening profile into something that applies to CentOS as well (which will probably work for OracleLinux as well, but needs testing), and then rename it ? (debian_hardening -> hardening).

The steps are mostly generic.

Copy link
Member

@dupremathieu dupremathieu Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we can definitely do that.
Do you know if your commits are the only adjustment we need to have the hardening roles working on both Debian and CentOS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dupremathieu dupremathieu dupremathieu left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matosatti @dupremathieu