selinux: update kernel boot params when disabling/re-enabling SELinux
SUMMARY
The ability to disable SELinux from userspace based on the configuration
file is being deprecated in favor of the selinux=0 kernel boot
parameter. (Note that this affects only the "full" disable; switching
to/from permissive mode will work the same as before.)
Therefore, enhance the selinux module to try to set/unset the kernel
command-line parameter using grubby when enabling/disabling SELinux.
If the grubby package is not present on the system, the module will only
update the config file and report a warning. Note that even with the
runtime disable functionality removed, setting SELINUX=disabled in the
config file will lead to a system with no SELinux policy loaded, which
will behave in a very similar way as if SELinux was fully disabled, only
there could still be some minor performance impact, since the kernel
hooks will still be active.
More information:
https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
ISSUE TYPE
Feature Pull Request
COMPONENT NAME
selinux module
Reviewed-by: Adam Miller <maxamillion@fedoraproject.org>
Reviewed-by: Ondrej Mosnáček <omosnacek@gmail.com>
Reviewed-by: Abhijeet Kasurde <None>
Reviewed-by: quidame <None>
Reviewed-by: Hideki Saito <saito@fgrep.org>
Reviewed-by: None <None>
The ability to disable SELinux from userspace based on the configuration
file is being deprecated in favor of the selinux=0 kernel boot
parameter. (Note that this affects only the "full" disable; switching
to/from permissive mode will work the same as before.)
Therefore, add an 'update_kernel_param' module parameter that will cause
it to set/unset the kernel command-line parameter using grubby when
enabling/disabling SELinux. (An explicit parameter was chosen for
backwards compatibility.)
More information:
https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Fix requires firewalld version in comments for permanent parameter.
SUMMARY
Version of firewalled seems to be wrong. 3.0.9 version of that package does not exist.
The latest release of firewalled: https://github.com/firewalld/firewalld/releases
ISSUE TYPE
Docs Pull Request
COMPONENT NAME
ansible.posix.firewalld
Reviewed-by: Hideki Saito <saito@fgrep.org>
Reviewed-by: Andrew Klychkov <aaklychkov@mail.ru>
Reviewed-by: None <None>
The synchronize action plugin and module were a bit sloppy when it
came to the command-line parameter quoting and that caused failuer on
some systems (for example, on Fedora 34).
This commit makes sure any argumnts with potentially problematic
characters are quoted before being used.
Add new firewalld_info module to ansible.posix collection
SUMMARY
Add new firewalld_info module to ansible.posix collection.
Gathering information about firewalld zone settings
fixes#98
ISSUE TYPE
Feature Pull Request
COMPONENT NAME
ansible.posix.firewalld_info
ADDITIONAL INFORMATION
None
Reviewed-by: Abhijeet Kasurde <None>
Reviewed-by: Hideki Saito <saito@fgrep.org>
synchronize: fix to honor become_user when become_method sudo
SUMMARY
When become_method is sudo, the synchronize module ignores become_user, always running as root. This means one cannot create files as a target user, when they need to get in via a third user and can only sudo via that one. In my case, I'm connecting via a special provisioning user that has sudo privs, but I need to create the files as the become_user. I'm using it to deposit skeleton files, and there should be no reason to run another task with chown; after all, the documentation already describes the desired behavior:
The user and permissions for the synchronize dest are those of the remote_user on the destination host or the become_user if become=yes is active.
This patch takes the running become_user (if it's not None) and adds it to the sudo command with the -u command line option, so the file gets created correctly. I have tested this and it works.
Other become_methods are ignored, but they already were anyways (the code already has a TODO to add other methods, which we don't attempt in this patch)
Fixes#186
ISSUE TYPE
Bugfix Pull Request
COMPONENT NAME
synchronize
ADDITIONAL INFORMATION
See reproduction in #186.
This appears to have been in place since ansible/ansible@811a906
Reviewed-by: Amin Vakil <info@aminvakil.com>
Reviewed-by: Sumit Jaiswal <sjaiswal@redhat.com>
* Address the issue #28
* Modified behavior to set noauto option if boot is 'no' on Linux system
* Modified integration test to use filesize module instead of dd
Signed-off-by: Hideki Saito <saito@fgrep.org>
The synchronize action plugin has a built-in list of connection
plugins that it knows how to handle.
One of those connection plugins is the docker connection plugin. And
because the docker content has been moved around quite a lot, the
docker connection plugin has quite a few names:
- docker in Ansible 2.9,
- community.general.docker for community.general < 2.0.0, and
- community.docker.docker since a few months ago.
And while the synchronize module already knew about the first two
names, the last one was still missing. This commit fixes that omission
and adds a third name into the mix.
* firewalld: add zone target set
Fixes https://github.com/ansible/ansible/issues/49232
Signed-off-by: Adam Miller <admiller@redhat.com>
* fix sanity tests, add example of zone target setting
Signed-off-by: Adam Miller <admiller@redhat.com>
* test different zone/target combination as we're not hitting default settings
Signed-off-by: Adam Miller <admiller@redhat.com>
* fix enabled values for zone operations
Signed-off-by: Adam Miller <admiller@redhat.com>
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
the order of actions for setting, persisting and activation is changed,
to not persist an invalid sysctl value. This is only enforced when
sysct_set is True.
AIX uses -lv options to cat a job (instead of -c for Linux).
AIX uses -r to remove a job.
Linux supports both -r and -d, so use -r since it is what POSIX says.
Previously check_mode would incorrectly return changed=False even when a
change would have taken place if ran without check_mode, with
integration tests that confirmed this incorrect behavior. Also the
module did not correctly populate the return values when run in
check_mode. Both of these issues are resolved in this PR.
Fixes https://github.com/ansible-collections/ansible.posix/issues/37
Signed-off-by: Adam Miller <admiller@redhat.com>
In Ansible 2.9 (pre 2.10 routing), the AnsiballZ creation of the payload
will add an extra directory to the module_util path because ismount.py
shares the same name as it's parent dir which creates an inconsistency
in the payload creation. This causes the Collection module
ansible.posix.mount to work in Ansible 2.10 but not 2.9, with this pull
request a simple renaming of the module_util which side steps this
inconsistency.
Fixes https://github.com/ansible-collections/ansible.posix/issues/21
Signed-off-by: Adam Miller <admiller@redhat.com>
Previously the selinux module would only edit the state of found
configuration keys SELINUX and SELINUXTYPE in /etc/selinux/config but
would not add them with desired state if they were not found.
Fixes#23https://github.com/ansible-collections/ansible.posix/issues/23
Signed-off-by: Adam Miller <admiller@redhat.com>
This reverts part of ansible commit 72023d7462e78635264fd12bfdb23894b4163cba.
The immediate reason is that it breaks mounts where src is not a path.
Examples of such mounts are network-based filesystems such as nfs, cifs,
glusterfs, ceph, virtual filesystems such as tmpfs or overlayfs, and
also UUID-based mounts. It is too hard to come with an exhaustive list,
especially if we take non-Linux systems into account, so don't even try.
Additionally, it did not really fix the issue (ansible/ansible#59183) that
it intended to fix, because the mount could fail but leave a non-working
fstab entry for reasons other than non-existing src path.
Restore fstab and remove the mount point after a failed mount
Add a reminder that not only devices can be mounted
Fixes: ansible/ansible#65855Fixes: ansible/ansible#67588Fixes: ansible/ansible#67966
Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Co-authored-by: Alexander E. Patrakov <patrakov@gmail.com>
