Ensure SELinux State is Enforcing

SELINUX=enforcing

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var\_selinux\_state='enforcing'


if [ -e "/etc/selinux/config" ] ; then
 
 LC\_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
else
 touch "/etc/selinux/config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/selinux/config"

cp "/etc/selinux/config" "/etc/selinux/config.bak"
# Insert at the end of the file
printf '%s\n' "SELINUX=$var\_selinux\_state" >> "/etc/selinux/config"
# Clean up after ourselves.
rm "/etc/selinux/config.bak"

fixfiles onboot
fixfiles -f relabel

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: XCCDF Value var\_selinux\_state # promote to variable
 set\_fact:
 var\_selinux\_state: !!str enforcing
 tags:
 - always

- name: Ensure SELinux State is Enforcing
 block:

 - name: Check for duplicate values
 lineinfile:
 path: /etc/selinux/config
 create: false
 regexp: ^SELINUX=
 state: absent
 check\_mode: true
 changed\_when: false
 register: dupes

 - name: Deduplicate values from /etc/selinux/config
 lineinfile:
 path: /etc/selinux/config
 create: false
 regexp: ^SELINUX=
 state: absent
 when: dupes.found is defined and dupes.found > 1

 - name: Insert correct line to /etc/selinux/config
 lineinfile:
 path: /etc/selinux/config
 create: true
 regexp: ^SELINUX=
 line: SELINUX={{ var\_selinux\_state }}
 state: present
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-27334-2
 - DISA-STIG-RHEL-07-020210
 - NIST-800-171-3.1.2
 - NIST-800-171-3.7.2
 - NIST-800-53-AC-3
 - NIST-800-53-AC-3(3)(a)
 - NIST-800-53-AU-9
 - NIST-800-53-SC-7(21)
 - high\_severity
 - low\_complexity
 - low\_disruption
 - no\_reboot\_needed
 - restrict\_strategy
 - selinux\_state