Merge 1328ef0c0a into 719f7dfebf

Merge pull request #510 from saito-hideki/issue/509
[CI] Replace Fedora 38 with 39 for devel branch container test SUMMARY Replace Fedora 38 container test with 39 for devel branch. Fixed /#509 ISSUE TYPE CI test Pull Request COMPONENT NAME ansible.posix ADDITIONAL INFORMATION None
2026-01-12 15:45:20 +01:00 · 2023-11-23 16:21:09 +00:00 · 2023-11-23 15:56:55 +00:00 · 2023-11-22 17:09:41 +09:00 · 2023-09-21 16:52:45 +02:00 · 2023-09-21 14:56:06 +02:00
4 changed files with 13 additions and 24 deletions
--- a/.azure-pipelines/azure-pipelines.yml
+++ b/.azure-pipelines/azure-pipelines.yml
@ -51,8 +51,8 @@ stages:
        parameters:
          testFormat: devel/linux/{0}/1
          targets:
-            - name: Fedora 38
-              test: fedora38
+            - name: Fedora 39
+              test: fedora39
            - name: Ubuntu 20.04
              test: ubuntu2004
            - name: Ubuntu 22.04
--- a/changelogs/fragments/496_seboolean-make-it-wrk-with-SELinux-disabled.yaml
+++ b/changelogs/fragments/496_seboolean-make-it-wrk-with-SELinux-disabled.yaml
@ -0,0 +1,3 @@
+---
+bugfixes:
+  - seboolean - make it work with disabled SELinux
--- a/changelogs/fragments/510_ci_update.yml
+++ b/changelogs/fragments/510_ci_update.yml
@ -0,0 +1,3 @@
+---
+trivial:
+  - "Replace Fedora 38 with 39 for container test(https://github.com/ansible-collections/ansible.posix/issues/509)."
--- a/plugins/modules/seboolean.py
+++ b/plugins/modules/seboolean.py
@ -81,23 +81,6 @@ def get_runtime_status(ignore_selinux_state=False):
    return True if ignore_selinux_state is True else selinux.is_selinux_enabled()


-def has_boolean_value(module, name):
-    bools = []
-    try:
-        rc, bools = selinux.security_get_boolean_names()
-    except OSError:
-        module.fail_json(msg="Failed to get list of boolean names")
-    # work around for selinux who changed its API, see
-    # https://github.com/ansible/ansible/issues/25651
-    if len(bools) > 0:
-        if isinstance(bools[0], binary_type):
-            name = to_bytes(name)
-    if name in bools:
-        return True
-    else:
-        return False
-
-
 def get_boolean_value(module, name):
    state = 0
    try:
@ -173,7 +156,10 @@ def semanage_set_boolean_value(module, handle, name, value):
        semanage.semanage_handle_destroy(handle)
        module.fail_json(msg="Failed to modify boolean key with semanage")

-    if semanage.semanage_bool_set_active(handle, boolkey, sebool) < 0:
+    if (
+            selinux.is_selinux_enabled()
+            and semanage.semanage_bool_set_active(handle, boolkey, sebool) < 0
+    ):
        semanage.semanage_handle_destroy(handle)
        module.fail_json(msg="Failed to set boolean key active with semanage")

@ -308,12 +294,9 @@ def main():
        # Feature only available in selinux library since 2012.
        name = selinux.selinux_boolean_sub(name)

-    if not has_boolean_value(module, name):
-        module.fail_json(msg="SELinux boolean %s does not exist." % name)
-
    if persistent:
        changed = semanage_boolean_value(module, name, state)
-    else:
+    elif selinux.is_selinux_enabled():
        cur_value = get_boolean_value(module, name)
        if cur_value != state:
            changed = True
Author	SHA1	Message	Date
Petr Lautrbach	fb563e0086	Merge `1328ef0c0a` into `719f7dfebf`	2023-11-23 16:21:09 +00:00
softwarefactory-project-zuul[bot]	719f7dfebf	Merge pull request #510 from saito-hideki/issue/509 [CI] Replace Fedora 38 with 39 for devel branch container test SUMMARY Replace Fedora 38 container test with 39 for devel branch. Fixed /#509 ISSUE TYPE CI test Pull Request COMPONENT NAME ansible.posix ADDITIONAL INFORMATION None	2023-11-23 15:56:55 +00:00
Hideki Saito	5cae7aa946	Replace Fedora 38 with 39 for devel branch container test	2023-11-22 17:09:41 +09:00
Petr Lautrbach	1328ef0c0a	Add a changelog fragment	2023-09-21 16:52:45 +02:00
Petr Lautrbach	213cbfcdb5	seboolean: make it work with disabled SELinux Sometimes it's necessary to configure SELinux before it's enabled on the system. There's `ignore_selinux_state` which should allow it. Before this change `seboolean` module failed on SELinux disabled system even with `ignore_selinux_state: true` and SELinux policy installed while `semanage boolean` worked as expected: $ ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on ignore_selinux_state=true" all 192.168.121.153 \| FAILED! => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python3" }, "changed": false, "msg": "Failed to get list of boolean names" } $ ssh root@192.168.121.153 semanage boolean -l \| grep ssh_sysadm_login ssh_sysadm_login (off , off) Allow ssh to sysadm login It's caused by `selinux.security_get_boolean_names()` and `selinux.security_get_boolean_active(name)` which required SELinux enabled system. This change adds a fallback to semanage API which works in SELinux disabled system when SELinux targeted policy is installed: ANSIBLE_LIBRARY=plugins/modules ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on persistent=true ignore_selinux_state=true" all 192.168.121.153 \| CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python3" }, "changed": true, "name": "ssh_sysadm_login", "persistent": true, "state": true } $ ssh root@192.168.121.153 semanage boolean -l \| grep ssh_sysadm_login ssh_sysadm_login (on , on) Allow ssh to sysadm login Note that without `persistent=true` this module is effectively NO-OP now. Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>	2023-09-21 14:56:06 +02:00