diff --git a/tasks/main.yml b/tasks/main.yml index e10b2f2..7d7479d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -14,9 +14,6 @@ state: present when: ansible_distribution == "Fedora" -- name: Drop all local modifications first - shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i - - - name: Set permanent SELinux mode selinux: policy={{ SELinux_type }} state={{ SELinux_mode }} when: SELinux_mode is defined @@ -25,6 +22,13 @@ command: /usr/sbin/setenforce {{ SELinux_mode }} when: SELinux_mode is defined and SELinux_change_running is defined +- name: Drop all local modifications + shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i - + +- name: Reload SELinux policy + command: semodule -R + when: ansible_selinux.status != "disabled" + - name: Set SELinux booleans seboolean: name: "{{ item.name }}" diff --git a/test/selinux.config b/test/selinux.config new file mode 100644 index 0000000..a520b96 --- /dev/null +++ b/test/selinux.config @@ -0,0 +1,14 @@ + +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=disabled +# SELINUXTYPE= can take one of these three values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted + + diff --git a/test/test_selinux_disabled.yml b/test/test_selinux_disabled.yml new file mode 100644 index 0000000..b13bfef --- /dev/null +++ b/test/test_selinux_disabled.yml @@ -0,0 +1,48 @@ + +- name: Ensure the default is targeted, enforcing, without local modifications + hosts: all + become: true + vars: + SELinux_type: targeted + SELinux_mode: enforcing + + pre_tasks: + - name: Backup original /etc/selinux/config + copy: + remote_src: true + src: /etc/selinux/config + dest: /etc/selinux/config.test_selinux_disabled + - name: Upload testing /etc/selinux/config + copy: + src: selinux.config + dest: /etc/selinux/config + - name: Switch to permissive to allow login when selinuxfs is not mounted + command: setenforce 0 + when: ansible_selinux.status != "disabled" + - name: Get selinuxfs mountpoint + shell: findmnt -n -t selinuxfs --output=target + register: selinux_mountpoint + - name: Umount {{ selinux_mountpoint.stdout }} to emulate SELinux disabled system + command: umount {{ selinux_mountpoint.stdout }} + + roles: + - selinux + + tasks: + - name: Mount {{ selinux_mountpoint.stdout }} back to system + command: mount -t selinuxfs selinuxfs {{ selinux_mountpoint.stdout }} + - name: Switch back to enforcing + command: setenforce 1 + - name: Gather facts again + setup: + - name: Check SELinux config mode + assert: + that: "{{ ansible_selinux.config_mode == 'enforcing' }}" + mgs: "SELinux config mode should be enforcing instead of {{ ansible_selinux.config_mode }}" + - name: Restore original /etc/selinux/config + copy: + remote_src: true + dest: /etc/selinux/config + src: /etc/selinux/config.test_selinux_disabled + - name: Remove /etc/selinux/config backup + command: rm /etc/selinux/config.test_selinux_disabled diff --git a/vars/main.yml b/vars/main.yml index 74ae42f..4dcb80d 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,6 @@ --- drop_local_modifications: | - boolean -D - login -D - port -D - fcontext -D + boolean -D -N + login -D -N + port -D -N + fcontext -D -N