---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Check if AppArmor is disabled at boot time
  shell: "dmesg | grep -i apparmor || true"
  register: dmesg_apparmor_output
  changed_when: False
  check_mode: no
  when:
    - ansible_os_family == "Debian"
  tags:
    - high
    - V-71989

- name: Ensure AppArmor is running
  service:
    name: apparmor
    state: started
    enabled: yes
  when:
    - ansible_os_family == "Debian"
    - security_rhel7_enable_linux_security_module | bool
    - not check_mode
    - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
  tags:
    - high
    - V-71989

# NOTE(mhayden): The "changed_when" is required here because this task will
# always show as changed when SELinux is completely disabled. It's not possible
# to switch to permissive/enforcing in an online way when SELinux is completely
# disabled at boot time.
- name: Ensure SELinux is in enforcing mode on the next reboot
  selinux:
    state: enforcing
    policy: targeted
  register: selinux_status_change
  changed_when: selinux_status_change | changed and ansible_selinux.status != 'disabled'
  when:
    - ansible_os_family == "RedHat"
    - security_rhel7_enable_linux_security_module | bool
  tags:
    - high
    - V-71989
    - V-71991

- name: Relabel files on next boot if SELinux mode changed
  file:
    path: /.autorelabel
    state: touch
  when:
    - ansible_os_family == "RedHat"
    - security_rhel7_enable_linux_security_module | bool
    - selinux_status_change | changed
  tags:
    - high
    - V-71989
    - V-71991

# NOTE(mhayden): Ansible's find module doesn't support searching for files
# based on SELinux contexts yet.
- name: Check for unlabeled device files
  command: "find /dev -context '*unlabeled_t*'"
  register: unlabeled_devices
  changed_when: False
  check_mode: no
  when:
    - ansible_os_family == 'RedHat'
    - ansible_selinux.status is defined
    - ansible_selinux.status != 'disabled'
  tags:
    - lsm
    - medium
    - V-72039

- name: V-72039 - All system device files must be correctly labeled to prevent unauthorized modification.
  debug:
    msg: |
      Devices were found without SELinux labels:
      {% for device in unlabeled_devices.stdout_lines %}
      {{ device }}
      {% endfor %}
  when:
    - ansible_os_family == 'RedHat'
    - unlabeled_devices.stdout is defined
    - unlabeled_devices.stdout | length > 0
  tags:
    - lsm
    - medium
    - V-72039