Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

semodule ssh_password error on AWS Centos 7 #64

Closed
mikerj1 opened this issue May 20, 2016 · 4 comments
Closed

semodule ssh_password error on AWS Centos 7 #64

mikerj1 opened this issue May 20, 2016 · 4 comments
Labels
bug

Comments

@mikerj1
Copy link

mikerj1 commented May 20, 2016
edited
Loading

Hello - I'm seeing the error below and I'm not sure if I'm doing something wrong or if this is a bug. The server is the official Centos7 image on AWS. The error is observed when running ansible-playbook with --check.

Running the following on the server (which appears to be part of the problem) shows no output.

semodule -l | grep "ssh_password" | awk '{print $3}'

These are the module names I see with the string ssh:

semodule -l | grep "ssh"

rssh 2.3.0
ssh 2.4.2

Thanks!

Error:
fatal: [server1]: FAILED! => {"failed": true, "msg": "The conditional check 'sestatus.rc == 0 and sestatus.stdout != 'Disabled'' failed. The error was: error while evaluating conditional (sestatus.rc == 0 and sestatus.stdout != 'Disabled'): 'dict object' has no attribute 'rc'\n\nThe error appears to have been in '/Users/user1/RRS GDrive/Projects/corp1/repos/corp1-ansible/roles/hardening.ssh-hardening/tasks/main.yml': line 11, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: check the ssh_password policy state\n ^ here\n"}
@rndmh3ro
Copy link
Member

Hi @mikerj1, thanks for bringing this up.
The reason this happens is because in check-mode the following task does not run:

- name: test to see if selinux is running
  command: getenforce
  register: sestatus
  changed_when: false
  ignore_errors: true

When this task does not run, the variable sestatus does not get registered and the next task fails because sestatus.rc does not exist.
When running this task without check-mode this error should not happen.
See this bug-report for more reference.

I'm going to change the task so this won't happen!

@mikerj1
Copy link
Author

mikerj1 commented May 20, 2016

Awesome, thanks! Is it as simple as adding always_run: true to the task?

@rndmh3ro
Copy link
Member

rndmh3ro commented May 20, 2016
edited
Loading

Yes and I also add a failed_when: false to it so if the task fails, there will be no ugly red error message:

- name: test to see if selinux is running
  command: getenforce
  register: sestatus
  failed_when: false
  always_run: true

- name: check the ssh_password policy state
  shell: semodule -l | grep "ssh_password" | awk '{print $3}'
  register: selinux_policy_state
  when: sestatus.rc == 0 and sestatus.stdout != 'Disabled'
  failed_when: false

EDIT: Or would you like to create a PR?

@mikerj1
Copy link
Author

mikerj1 commented May 20, 2016

This looks like it will solve the problem and you've got it staged, so please proceed. Thanks again.

rndmh3ro pushed a commit that referenced this issue May 20, 2016
add always_run: true to task. fix #64
4adc8a1
rndmh3ro pushed a commit that referenced this issue Jun 13, 2016
add always_run: true to task. fix #64
a583ee1
rndmh3ro pushed a commit that referenced this issue Jun 13, 2016
Merge pull request #69 from dev-sec/always_run_task
3ed179b 
add always_run: true to task. fix #64
@rndmh3ro rndmh3ro added the bug label Oct 24, 2016
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rndmh3ro @mikerj1