seboolean: make it work with disabled SELinux

Sometimes it's necessary to configure SELinux before it's enabled on the system. There's `ignore_selinux_state` which should allow it. Before this change `seboolean` module failed on SELinux disabled system even with `ignore_selinux_state: true` and SELinux policy installed while `semanage boolean` worked as expected: $ ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on ignore_selinux_state=true" all 192.168.121.153 | FAILED! => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python3" }, "changed": false, "msg": "Failed to get list of boolean names" } $ ssh root@192.168.121.153 semanage boolean -l | grep ssh_sysadm_login ssh_sysadm_login (off , off) Allow ssh to sysadm login It's caused by `selinux.security_get_boolean_names()` and `selinux.security_get_boolean_active(name)` which required SELinux enabled system. This change adds a fallback to semanage API which works in SELinux disabled system when SELinux targeted policy is installed: ANSIBLE_LIBRARY=plugins/modules ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on persistent=true ignore_selinux_state=true" all 192.168.121.153 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python3" }, "changed": true, "name": "ssh_sysadm_login", "persistent": true, "state": true } $ ssh root@192.168.121.153 semanage boolean -l | grep ssh_sysadm_login ssh_sysadm_login (on , on) Allow ssh to sysadm login Note that without `persistent=true` this module is effectively NO-OP now. Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2026-03-10 03:25:22 +01:00 · 2023-12-11 16:19:41 +01:00
7 changed files with 25 additions and 18 deletions
--- a/.azure-pipelines/azure-pipelines.yml
+++ b/.azure-pipelines/azure-pipelines.yml
@ -209,8 +209,10 @@ stages:
              test: rhel/8.7
            - name: RHEL 9.1
              test: rhel/9.1
-            - name: FreeBSD 13.2
+            - name: FreeBSD 13.1
-              test: freebsd/13.2
+              test: freebsd/13.1
            - name: FreeBSD 12.4
              test: freebsd/12.4
  - stage: Remote_2_14
    displayName: Remote 2.14
    dependsOn: []
@ -223,8 +225,10 @@ stages:
              test: rhel/7.9
            - name: RHEL 8.6
              test: rhel/8.6
-            - name: FreeBSD 13.2
+            - name: FreeBSD 13.1
-              test: freebsd/13.2
+              test: freebsd/13.1
            - name: FreeBSD 12.4
              test: freebsd/12.4
  ## Finally
--- a/changelogs/fragments/421-remove-deprecation-warning.yml
+++ b/changelogs/fragments/421-remove-deprecation-warning.yml
@ -1,2 +0,0 @@
 trivial:
  - synchronize - instantiate the connection plugin without the ``new_stdin`` argument, which is deprecated in ansible-core 2.15 (https://github.com/ansible-collections/ansible.posix/pull/421).
--- a/changelogs/fragments/504-firewalld_info-warning.yaml
+++ b/changelogs/fragments/504-firewalld_info-warning.yaml
@ -1,2 +0,0 @@
 minor_changes:
  - firewalld_info - Only warn about ignored zones, when there are zones ignored.
--- a/plugins/action/synchronize.py
+++ b/plugins/action/synchronize.py
@ -284,6 +284,9 @@ class ActionModule(ActionBase):
        # told (via delegate_to) that a different host is the source of the
        # rsync
        if not use_delegate and remote_transport:
            # Create a connection to localhost to run rsync on
            new_stdin = self._connection._new_stdin
            # Unlike port, there can be only one shell
            localhost_shell = None
            for host in C.LOCALHOST:
@ -312,11 +315,7 @@ class ActionModule(ActionBase):
                localhost_executable = C.DEFAULT_EXECUTABLE
            self._play_context.executable = localhost_executable
-            try:
+            new_connection = connection_loader.get('local', self._play_context, new_stdin)
                new_connection = connection_loader.get('local', self._play_context)
            except TypeError:
                # Needed for ansible-core < 2.15
                new_connection = connection_loader.get('local', self._play_context, self._connection._new_stdin)
            self._connection = new_connection
            # Override _remote_is_local as an instance attribute specifically for the synchronize use case
            # ensuring we set local tmpdir correctly
--- a/plugins/modules/firewalld_info.py
+++ b/plugins/modules/firewalld_info.py
@ -356,9 +356,8 @@ def main():
            specified_zones = module.params['zones']
            collect_zones = list(set(specified_zones) & set(all_zones))
            ignore_zones = list(set(specified_zones) - set(collect_zones))
-            if ignore_zones:
+            warn.append(
-                warn.append(
+                'Please note: zone:(%s) have been ignored in the gathering process.' % ','.join(ignore_zones))
                    'Please note: zone:(%s) have been ignored in the gathering process.' % ','.join(ignore_zones))
        else:
            collect_zones = get_all_zones(client)
--- a/plugins/modules/mount.py
+++ b/plugins/modules/mount.py
@ -831,7 +831,7 @@ def main():
        # handle mount on boot.  To avoid mount option conflicts, if 'noauto'
        # specified in 'opts',  mount module will ignore 'boot'.
        opts = args['opts'].split(',')
-        if module.params['boot'] and 'noauto' in opts:
+        if 'noauto' in opts:
            args['warnings'].append("Ignore the 'boot' due to 'opts' contains 'noauto'.")
        elif not module.params['boot']:
            args['boot'] = 'no'
--- a/tests/utils/shippable/shippable.sh
+++ b/tests/utils/shippable/shippable.sh
@ -62,7 +62,16 @@ else
    retry pip install "https://github.com/ansible/ansible/archive/stable-${ansible_version}.tar.gz" --disable-pip-version-check
 fi
-export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../"
+if [ "${SHIPPABLE_BUILD_ID:-}" ]; then
    export ANSIBLE_COLLECTIONS_PATHS="${HOME}/.ansible"
    SHIPPABLE_RESULT_DIR="$(pwd)/shippable"
    TEST_DIR="${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/ansible/posix"
    mkdir -p "${TEST_DIR}"
    cp -aT "${SHIPPABLE_BUILD_DIR}" "${TEST_DIR}"
    cd "${TEST_DIR}"
 else
    export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../"
 fi
 # START: HACK install dependencies
 if [ "${ansible_version}" == "2.9" ] || [ "${ansible_version}" == "2.10" ]; then
		`@ -1,2 +0,0 @@`
			`trivial:`
			- synchronize - instantiate the connection plugin without the ``new_stdin`` argument, which is deprecated in ansible-core 2.15 (https://github.com/ansible-collections/ansible.posix/pull/421).
		`@ -1,2 +0,0 @@`
			`minor_changes:`
			`- firewalld_info - Only warn about ignored zones, when there are zones ignored.`