From 5a1bec9643e0e014f6a4657ab5197a73acc69d5d Mon Sep 17 00:00:00 2001 From: Marcelo Tosatti Date: Tue, 2 Dec 2025 12:10:34 -0300 Subject: [PATCH 1/3] Fix ssh service dependency on network.online in CentOS The systemd sshd file path is different for CentOS. Also, sshd systemd unit, on CentOS, does not depend on auditd.service. Signed-off-by: Marcelo Tosatti --- playbooks/seapath_setup_hardened_debian.yaml | 1 + roles/debian_hardening/tasks/main.yml | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/playbooks/seapath_setup_hardened_debian.yaml b/playbooks/seapath_setup_hardened_debian.yaml index 8c45b233c..67277ae80 100644 --- a/playbooks/seapath_setup_hardened_debian.yaml +++ b/playbooks/seapath_setup_hardened_debian.yaml @@ -11,6 +11,7 @@ vars: revert: false roles: + - detect_seapath_distro - debian_hardening - name: Add hardened for SEAPATH physical machines become: true diff --git a/roles/debian_hardening/tasks/main.yml b/roles/debian_hardening/tasks/main.yml index 04f650bb7..980a44585 100644 --- a/roles/debian_hardening/tasks/main.yml +++ b/roles/debian_hardening/tasks/main.yml @@ -167,11 +167,23 @@ state: absent when: revert +- name: Set default SSH service file path + set_fact: + ssh_service_path: "/lib/systemd/system/ssh.service" + ssh_service_newline: "After=network.target auditd.service network-online.target" + when: seapath_distro != "CentOS" + +- name: Set SSH service file path for CentOS + set_fact: + ssh_service_path: "/lib/systemd/system/sshd.service" + ssh_service_newline: "After=network.target network-online.target" + when: seapath_distro == "CentOS" + - name: Wait for DHCP for SSH lineinfile: - dest: /lib/systemd/system/ssh.service + dest: "{{ ssh_service_path }}" regexp: "^After=" - line: "After=network.target auditd.service network-online.target" + line: "{{ ssh_service_newline }}" state: present when: not revert From 80719da6684e7aa934ecf327f20a4a8cafec3dd6 Mon Sep 17 00:00:00 2001 From: Marcelo Tosatti Date: Wed, 3 Dec 2025 08:29:47 -0300 Subject: [PATCH 2/3] Add SELinux rules for ptp_status_vsock Otherwise SELinux denies execution at /var/lib/ptp. Signed-off-by: Marcelo Tosatti --- roles/ptp_status_vsock/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/ptp_status_vsock/tasks/main.yml b/roles/ptp_status_vsock/tasks/main.yml index 084ab391c..6a7e9d629 100644 --- a/roles/ptp_status_vsock/tasks/main.yml +++ b/roles/ptp_status_vsock/tasks/main.yml @@ -47,3 +47,11 @@ name: ptp_vsock.service enabled: yes state: started + - name: Allow execution at /var/lib/ptp/ (semanage) + command: + cmd: semanage fcontext -a -t bin_t "/var/lib/ptp(/.*)?" + when: seapath_distro == "CentOS" + - name: Allow execution at /var/lib/ptp/ (restorecon) + command: + cmd: restorecon -r -v /var/lib/ptp/ + when: seapath_distro == "CentOS" From 08fcce3ed7232c537a3453ccc7149a369a102a2c Mon Sep 17 00:00:00 2001 From: Marcelo Tosatti Date: Wed, 3 Dec 2025 09:23:09 -0300 Subject: [PATCH 3/3] Add SELinux rules for ptp4l Add SELinux rules allowing ptp4l to use sendto system call. Signed-off-by: Marcelo Tosatti --- roles/timemaster/files/ptp4l_local.pp | Bin 0 -> 983 bytes roles/timemaster/tasks/main.yml | 10 ++++++++++ 2 files changed, 10 insertions(+) create mode 100644 roles/timemaster/files/ptp4l_local.pp diff --git a/roles/timemaster/files/ptp4l_local.pp b/roles/timemaster/files/ptp4l_local.pp new file mode 100644 index 0000000000000000000000000000000000000000..a89b2529a761ebcde88792e927987f29991b0616 GIT binary patch literal 983 zcmb_a%Sr=55L_dukb??(&liY-AJ7+Xdh!E?I6KPfW+v>;N)G;l_`ROAE1AMJQ3z;3 zO?6lIJeKXZkC*qIs;a;v<*Vk0s<&5@>n0A1$xW(HITRRTvvBo8H=VgY`KOTg)I_llvCfI@xR_hg-DB|Cb)p_23{-7Q z+j{sQaK9+;(Dd8h)d%Jiwb{Za2zm>K=u^CJVyImoy646Rms$Hw*Uv*AJ;YMT`|w;q zmh0Do9AqCAo(0cl-PXh;h(Y#I;Sr(%$Qph=Aj@^NY!hQY`aqsVg+~Yj)&Gjkk$(#D iUQG7J6r*5?`Q_Y>Obs#Su*{m>g1P%?wrr2KY~T|KO-APc literal 0 HcmV?d00001 diff --git a/roles/timemaster/tasks/main.yml b/roles/timemaster/tasks/main.yml index 49fb446c8..883fd761d 100644 --- a/roles/timemaster/tasks/main.yml +++ b/roles/timemaster/tasks/main.yml @@ -45,3 +45,13 @@ name: "{{ timemaster_service_name_chrony }}" state: stopped enabled: false +- name: Copy SELinux rule for ptp4l + copy: + src: ptp4l_local.pp + dest: "/tmp/ptp4l_local.pp" + mode: '0755' + when: seapath_distro == "CentOS" +- name: Install SELinux rule for ptp4l + command: + cmd: semodule -i /tmp/ptp4l_local.pp + when: seapath_distro == "CentOS"