validations-common/validations_common/roles/check_selinux_mode/tasks/main.yml

---
- name: Ensure we get needed facts
  setup:
    gather_subset:
      - '!all'
      - '!any'
      - '!min'
      - distribution
      - os_family

- name: Get current SELinux mode
  command: getenforce
  become: true
  register: sestatus
  changed_when: false
  when:
    - "ansible_os_family is defined and ansible_os_family == 'RedHat'"

- name: Check sestatus
  block:
    - name: Fail if SELinux is not in Enforced mode (RHEL)
      fail:
        msg: >-
          SELinux is running in {{ sestatus.stdout }} mode on the Undercloud.
          Ensure that SELinux is enabled and running in Enforcing mode.          
      when:
        - "sestatus.stdout != 'Enforcing'"
        - "ansible_distribution == 'RedHat'"

    - name: Warn if SELinux is not in Enforced mode (CentOS)
      warn:
        msg: >-
          SELinux is running in {{ sestatus.stdout }} mode on the Undercloud.
          Ensure that SELinux is enabled and running in Enforcing mode.          
      when:
        - "sestatus.stdout != 'Enforcing'"
        - "ansible_distribution == 'CentOS'"
  when: sestatus.stdout is defined