Skip to content
This repository has been archived by the owner on Dec 26, 2020. It is now read-only.

semodule ssh_password error on AWS Centos 7 #64

Closed
mikerj1 opened this issue May 20, 2016 · 4 comments
Closed

semodule ssh_password error on AWS Centos 7 #64

mikerj1 opened this issue May 20, 2016 · 4 comments
Labels
bug

Comments

@mikerj1
Copy link

mikerj1 commented May 20, 2016
edited
Loading

Hello - I'm seeing the error below and I'm not sure if I'm doing something wrong or if this is a bug. The server is the official Centos7 image on AWS. The error is observed when running ansible-playbook with --check.

Running the following on the server (which appears to be part of the problem) shows no output.

semodule -l | grep "ssh_password" | awk '{print $3}'

These are the module names I see with the string ssh:

semodule -l | grep "ssh"

rssh 2.3.0
ssh 2.4.2

Thanks!

Error:
fatal: [server1]: FAILED! => {"failed": true, "msg": "The conditional check 'sestatus.rc == 0 and sestatus.stdout != 'Disabled'' failed. The error was: error while evaluating conditional (sestatus.rc == 0 and sestatus.stdout != 'Disabled'): 'dict object' has no attribute 'rc'\n\nThe error appears to have been in '/Users/user1/RRS GDrive/Projects/corp1/repos/corp1-ansible/roles/hardening.ssh-hardening/tasks/main.yml': line 11, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: check the ssh_password policy state\n ^ here\n"}
@rndmh3ro
Copy link
Member

Hi @mikerj1, thanks for bringing this up.
The reason this happens is because in check-mode the following task does not run:

- name: test to see if selinux is running
  command: getenforce
  register: sestatus
  changed_when: false
  ignore_errors: true

When this task does not run, the variable sestatus does not get registered and the next task fails because sestatus.rc does not exist.
When running this task without check-mode this error should not happen.
See this bug-report for more reference.

I'm going to change the task so this won't happen!

@mikerj1
Copy link
Author

mikerj1 commented May 20, 2016

Awesome, thanks! Is it as simple as adding always_run: true to the task?

@rndmh3ro
Copy link
Member

rndmh3ro commented May 20, 2016
edited
Loading

Yes and I also add a failed_when: false to it so if the task fails, there will be no ugly red error message:

- name: test to see if selinux is running
  command: getenforce
  register: sestatus
  failed_when: false
  always_run: true

- name: check the ssh_password policy state
  shell: semodule -l | grep "ssh_password" | awk '{print $3}'
  register: selinux_policy_state
  when: sestatus.rc == 0 and sestatus.stdout != 'Disabled'
  failed_when: false

EDIT: Or would you like to create a PR?

@mikerj1
Copy link
Author

mikerj1 commented May 20, 2016

This looks like it will solve the problem and you've got it staged, so please proceed. Thanks again.

rndmh3ro pushed a commit that referenced this issue May 20, 2016
add always_run: true to task. fix #64
4adc8a1
rndmh3ro pushed a commit that referenced this issue Jun 13, 2016
add always_run: true to task. fix #64
a583ee1
rndmh3ro pushed a commit that referenced this issue Jun 13, 2016
Merge pull request #69 from dev-sec/always_run_task
3ed179b 
add always_run: true to task. fix #64
@rndmh3ro rndmh3ro added the bug label Oct 24, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rndmh3ro @mikerj1