From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 26 May 2020 17:49:21 +0200
Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.

Affected rules:
 - selinux_policytype
 - selinux_state
---
 .../selinux/selinux_policytype/ansible/shared.yml |  9 ++-------
 .../selinux/selinux_policytype/bash/shared.sh     |  5 +++--
 .../tests/selinuxtype_minimum.fail.sh             | 10 ++++++++++
 .../selinux/selinux_state/ansible/shared.yml      |  9 ++-------
 .../system/selinux/selinux_state/bash/shared.sh   |  5 +++--
 .../selinux_state/tests/selinux_missing.fail.sh   |  5 +++++
 .../tests/selinux_permissive.fail.sh              | 10 ++++++++++
 shared/macros-ansible.jinja                       | 11 +++++++++++
 shared/macros-bash.jinja                          | 15 +++++++++++++++
 9 files changed, 61 insertions(+), 18 deletions(-)
 create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
 create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
 create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh

diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 5c70cc9f7f..9f8cf66dfb 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -3,11 +3,6 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
 - (xccdf-var var_selinux_policy_name)
 
-- name: "{{{ rule_title }}}"
-  lineinfile:
-    path: /etc/sysconfig/selinux
-    regexp: '^SELINUXTYPE='
-    line: "SELINUXTYPE={{ var_selinux_policy_name }}"
-    create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index d0fbbf4446..2b5ce31b12 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,7 +1,8 @@
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-#
+
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
+
 populate var_selinux_policy_name
 
-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
new file mode 100644
index 0000000000..1a6eb94953
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
+	sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
+else
+	echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
+fi
diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
index b465ac6729..1c1560a86c 100644
--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
@@ -3,11 +3,6 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
 - (xccdf-var var_selinux_state)
 
-- name: "{{{ rule_title }}}"
-  lineinfile:
-    path: /etc/sysconfig/selinux
-    regexp: '^SELINUX='
-    line: "SELINUX={{ var_selinux_state }}"
-    create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index 58193b5504..a402a861d7 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,10 +1,11 @@
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
-#
+
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
+
 populate var_selinux_state
 
-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
 
 fixfiles onboot
 fixfiles -f relabel
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
new file mode 100644
index 0000000000..180dd80791
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
new file mode 100644
index 0000000000..3db1e56b5f
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
+	sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
+else
+	echo 'SELINUX=permissive' >> $SELINUX_FILE
+fi
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 6798a25d1f..01d3155b37 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
 {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
 {{%- endmacro %}}
 
+{{#
+  High level macro to set a parameter in /etc/selinux/config.
+  Parameters:
+  - msg: the name for the Ansible task
+  - parameter: parameter to be set in the configuration file
+  - value: value of the parameter
+#}}
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
+
 {{#
   Generates an Ansible task that puts 'contents' into a file at 'filepath'
   Parameters:
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 3a94fe5dd8..2531d1c52d 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -86,6 +86,21 @@ populate {{{ name }}}
     }}}
 {{%- endmacro -%}}
 
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
+{{{ set_config_file(
+        path="/etc/selinux/config",
+        parameter=parameter,
+        value=value,
+        create=true,
+        insert_after="",
+        insert_before="",
+        insensitive=true,
+        separator="=",
+        separator_regex="\s*=\s*",
+        prefix_regex="^\s*")
+    }}}
+{{%- endmacro -%}}
+
 {{#
 # Install a package
 # Uses the right command based on pkg_manger proprerty defined in product.yaml.

From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 27 May 2020 18:48:57 +0200
Subject: [PATCH 2/2] Remediation requires reboot.

Update OVAL check to disallow spaces.
Removed selinuxtype_minimum test scenario since breaks the system.
---
 .../selinux/selinux_policytype/ansible/shared.yml      |  2 +-
 .../system/selinux/selinux_policytype/bash/shared.sh   |  4 ++++
 .../system/selinux/selinux_policytype/oval/shared.xml  |  2 +-
 .../tests/selinuxtype_minimum.fail.sh                  | 10 ----------
 .../guide/system/selinux/selinux_state/bash/shared.sh  |  4 ++++
 .../guide/system/selinux/selinux_state/oval/shared.xml |  2 +-
 shared/macros-ansible.jinja                            |  2 +-
 shared/macros-bash.jinja                               |  4 ++--
 8 files changed, 14 insertions(+), 16 deletions(-)
 delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh

diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 9f8cf66dfb..73e6ec7cd4 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -1,5 +1,5 @@
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
+# reboot = true
 # strategy = restrict
 # complexity = low
 # disruption = low
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index 2b5ce31b12..b4f79c97f9 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,4 +1,8 @@
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
 
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
index f1840a1290..3d69fff07f 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
@@ -27,7 +27,7 @@
 
   <ind:textfilecontent54_object id="obj_selinux_policy" version="1">
     <ind:filepath>/etc/selinux/config</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
+    <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
deleted file mode 100644
index 1a6eb94953..0000000000
--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
-
-SELINUX_FILE='/etc/selinux/config'
-
-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
-	sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
-else
-	echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
-fi
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index a402a861d7..645a7acab4 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,4 +1,8 @@
 # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
 
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
index c0881696e1..8c328060af 100644
--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
@@ -18,7 +18,7 @@
 
   <ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
     <ind:filepath>/etc/selinux/config</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 01d3155b37..580a0b948e 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
   - value: value of the parameter
 #}}
 {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
 {{%- endmacro %}}
 
 {{#
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 2531d1c52d..8abcc914d3 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -96,8 +96,8 @@ populate {{{ name }}}
         insert_before="",
         insensitive=true,
         separator="=",
-        separator_regex="\s*=\s*",
-        prefix_regex="^\s*")
+        separator_regex="=",
+        prefix_regex="^")
     }}}
 {{%- endmacro -%}}