Michal Nasiadka caa7cc54ee selinux: default to permissive
The disable-selinux role has been renamed to selinux and now supports
setting desired state.

Previously Kayobe was defaulting to disabling and rebooted the host - to
avoid audit logs filling up. This change allows operators to define
desired SELinux state and defaults to permissive - to adhere to those
site policies that require SELinux to be at least in permissive state.

Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1
2022-06-17 09:24:27 +02:00

55 lines
1.7 KiB
YAML

---
- name: Ensure required packages are installed
package:
name: python3-libselinux
state: present
cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
become: True
- name: Check if SELinux configuration file exists
stat:
path: /etc/selinux/config
register: stat_result
- name: Ensure desired SELinux state
selinux:
policy: "{{ selinux_policy }}"
state: "{{ selinux_state }}"
register: selinux_result
become: True
when: stat_result.stat.exists
- block:
- name: Abort SELinux configuration because reboot is disabled
fail:
msg: >
SELinux state change requires a reboot, but selinux_do_reboot is
false. Please run again with selinux_do_reboot set to true to reboot.
when:
- not selinux_do_reboot | bool
- block:
- name: Set a fact to determine whether we are running locally
set_fact:
is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}"
- name: Reboot the system to apply SELinux changes (local)
command: shutdown -r now "Applying SELinux changes"
become: True
when:
- is_local | bool
- name: Reboot the machine to apply SELinux
reboot:
reboot_timeout: "{{ selinux_reboot_timeout }}"
msg: Applying SELinux changes
become: true
when:
- not is_local | bool
when:
- selinux_do_reboot | bool
when:
- stat_result.stat.exists
- selinux_result.reboot_required