carroarmato0/ansible.posix
1
0
Fork 0
mirror of https://github.com/ansible-collections/ansible.posix.git synced 2026-01-12 23:55:19 +01:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: carroarmato0:c69bed376d56731d4d96f02e70d8e5a83a1ad78c
Branches Tags
carroarmato0:main
carroarmato0:stable-2
carroarmato0:stable-1
carroarmato0:2.1.0
carroarmato0:2.0.0
carroarmato0:1.6.2
carroarmato0:1.6.1
carroarmato0:1.6.0
carroarmato0:1.5.4
carroarmato0:1.5.2
carroarmato0:1.5.1
carroarmato0:1.5.0
carroarmato0:1.4.0
carroarmato0:1.3.0
carroarmato0:1.2.0
carroarmato0:1.1.1
carroarmato0:1.1.0
carroarmato0:1.0.0
carroarmato0:0.1.3
carroarmato0:0.1.2
carroarmato0:0.1.1
...
compare: carroarmato0:af2635cbf627a40ea7aa7a7697b99948b37fedb1
Branches Tags
carroarmato0:stable-2
carroarmato0:main
carroarmato0:stable-1
carroarmato0:2.1.0
carroarmato0:2.0.0
carroarmato0:1.6.2
carroarmato0:1.6.1
carroarmato0:1.6.0
carroarmato0:1.5.4
carroarmato0:1.5.2
carroarmato0:1.5.1
carroarmato0:1.5.0
carroarmato0:1.4.0
carroarmato0:1.3.0
carroarmato0:1.2.0
carroarmato0:1.1.1
carroarmato0:1.1.0
carroarmato0:1.0.0
carroarmato0:0.1.3
carroarmato0:0.1.2
carroarmato0:0.1.1

7 commits
c69bed376d ... af2635cbf6

Author SHA1 Message Date
Petr Lautrbach
af2635cbf6
Merge d2bdca837b into 0847977d12 2024-01-09 16:08:13 -06:00
Michael
0847977d12
Warn only when zones were ignored in firewalld_info (#504) 
* warn only when zones were ignored

* add changelog 504-firewalld_info-warning
 2024-01-09 16:07:58 -06:00
Christer Warén
2a1fb334ee
mount: edit boot parameters warning condition (#523) 
the CI failures are unrelated and shouldn't even be showing up ... I'm going to sort that out separately but that doesn't need to prevent this merge, all relevant CI tests passed
 2024-01-09 16:06:26 -06:00
softwarefactory-project-zuul[bot]
af870d0b83
Merge pull request #524 from felixfontein/fix-ci 
Fix CI issues

SUMMARY

Sanity tests fail; remove problematic Shippable-specific parts of shippable.sh script.
FreeBSD 12.4 have apparently been removed also from older versions of ansible-test.

ISSUE TYPE

Test Pull Request

COMPONENT NAME
CI
 2024-01-09 18:43:25 +00:00
Felix Fontein
8e900e5218 Support for FreeBSD 12.4 was removed. 2024-01-09 07:30:04 +01:00
Felix Fontein
45d8819b7c Remove Shippable leftovers. 2024-01-09 07:25:45 +01:00
Petr Lautrbach
d2bdca837b seboolean: make it work with disabled SELinux 
Sometimes it's necessary to configure SELinux before it's enabled on the
system. There's `ignore_selinux_state` which should allow it. Before
this change `seboolean` module failed on SELinux disabled system even
with `ignore_selinux_state: true` and SELinux policy installed while
`semanage boolean` worked as expected:

    $ ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on ignore_selinux_state=true" all
    192.168.121.153 | FAILED! => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/bin/python3"
        },
        "changed": false,
        "msg": "Failed to get list of boolean names"
    }

    $ ssh root@192.168.121.153 semanage boolean -l | grep ssh_sysadm_login
    ssh_sysadm_login               (off  ,  off)  Allow ssh to sysadm login

It's caused by `selinux.security_get_boolean_names()` and
`selinux.security_get_boolean_active(name)` which required SELinux
enabled system.

This change adds a fallback to semanage API which works in SELinux
disabled system when SELinux targeted policy is installed:

    ANSIBLE_LIBRARY=plugins/modules ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on persistent=true ignore_selinux_state=true" all
    192.168.121.153 | CHANGED => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/bin/python3"
        },
        "changed": true,
        "name": "ssh_sysadm_login",
        "persistent": true,
        "state": true
    }

    $ ssh root@192.168.121.153 semanage boolean -l | grep ssh_sysadm_login
    ssh_sysadm_login               (on   ,   on)  Allow ssh to sysadm login

Note that without `persistent=true` this module is effectively NO-OP now.

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
 2023-12-11 16:19:41 +01:00
7 changed files with 16 additions and 41 deletions
Show stats Expand all files Collapse all files

4
.azure-pipelines/azure-pipelines.yml
View file

@ -211,8 +211,6 @@ stages:
test: rhel/9.1 test: rhel/9.1
- name: FreeBSD 13.2 - name: FreeBSD 13.2
test: freebsd/13.2 test: freebsd/13.2
- name: FreeBSD 12.4
test: freebsd/12.4
- stage: Remote_2_14 - stage: Remote_2_14
displayName: Remote 2.14 displayName: Remote 2.14
dependsOn: [] dependsOn: []
@ -227,8 +225,6 @@ stages:
test: rhel/8.6 test: rhel/8.6
- name: FreeBSD 13.2 - name: FreeBSD 13.2
test: freebsd/13.2 test: freebsd/13.2
- name: FreeBSD 12.4
test: freebsd/12.4
## Finally ## Finally

3
changelogs/fragments/496_seboolean-make-it-wrk-with-SELinux-disabled.yaml Normal file
View file

@ -0,0 +1,3 @@
---
bugfixes:
- seboolean - make it work with disabled SELinux

2
changelogs/fragments/504-firewalld_info-warning.yaml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- firewalld_info - Only warn about ignored zones, when there are zones ignored.

1
plugins/modules/firewalld_info.py
View file

@ -356,6 +356,7 @@ def main():
specified_zones = module.params['zones'] specified_zones = module.params['zones']
collect_zones = list(set(specified_zones) & set(all_zones)) collect_zones = list(set(specified_zones) & set(all_zones))
ignore_zones = list(set(specified_zones) - set(collect_zones)) ignore_zones = list(set(specified_zones) - set(collect_zones))
if ignore_zones:
warn.append( warn.append(
'Please note: zone:(%s) have been ignored in the gathering process.' % ','.join(ignore_zones)) 'Please note: zone:(%s) have been ignored in the gathering process.' % ','.join(ignore_zones))
else: else:

2
plugins/modules/mount.py
View file

@ -831,7 +831,7 @@ def main():
# handle mount on boot. To avoid mount option conflicts, if 'noauto' # handle mount on boot. To avoid mount option conflicts, if 'noauto'
# specified in 'opts', mount module will ignore 'boot'. # specified in 'opts', mount module will ignore 'boot'.
opts = args['opts'].split(',') opts = args['opts'].split(',')
if 'noauto' in opts: if module.params['boot'] and 'noauto' in opts:
args['warnings'].append("Ignore the 'boot' due to 'opts' contains 'noauto'.") args['warnings'].append("Ignore the 'boot' due to 'opts' contains 'noauto'.")
elif not module.params['boot']: elif not module.params['boot']:
args['boot'] = 'no' args['boot'] = 'no'

30
plugins/modules/seboolean.py
View file

@ -73,8 +73,7 @@ except ImportError:
HAVE_SEMANAGE = False HAVE_SEMANAGE = False
from ansible.module_utils.basic import AnsibleModule, missing_required_lib from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.six import binary_type from ansible.module_utils._text import to_text
from ansible.module_utils._text import to_bytes, to_text
from ansible_collections.ansible.posix.plugins.module_utils._respawn import respawn_module, HAS_RESPAWN_UTIL from ansible_collections.ansible.posix.plugins.module_utils._respawn import respawn_module, HAS_RESPAWN_UTIL
@ -82,23 +81,6 @@ def get_runtime_status(ignore_selinux_state=False):
return True if ignore_selinux_state is True else selinux.is_selinux_enabled() return True if ignore_selinux_state is True else selinux.is_selinux_enabled()
def has_boolean_value(module, name):
bools = []
try:
rc, bools = selinux.security_get_boolean_names()
except OSError:
module.fail_json(msg="Failed to get list of boolean names")
# work around for selinux who changed its API, see
# https://github.com/ansible/ansible/issues/25651
if len(bools) > 0:
if isinstance(bools[0], binary_type):
name = to_bytes(name)
if name in bools:
return True
else:
return False
def get_boolean_value(module, name): def get_boolean_value(module, name):
state = 0 state = 0
try: try:
@ -174,7 +156,10 @@ def semanage_set_boolean_value(module, handle, name, value):
semanage.semanage_handle_destroy(handle) semanage.semanage_handle_destroy(handle)
module.fail_json(msg="Failed to modify boolean key with semanage") module.fail_json(msg="Failed to modify boolean key with semanage")
if semanage.semanage_bool_set_active(handle, boolkey, sebool) < 0: if (
selinux.is_selinux_enabled()
and semanage.semanage_bool_set_active(handle, boolkey, sebool) < 0
):
semanage.semanage_handle_destroy(handle) semanage.semanage_handle_destroy(handle)
module.fail_json(msg="Failed to set boolean key active with semanage") module.fail_json(msg="Failed to set boolean key active with semanage")
@ -315,12 +300,9 @@ def main():
# Feature only available in selinux library since 2012. # Feature only available in selinux library since 2012.
name = selinux.selinux_boolean_sub(name) name = selinux.selinux_boolean_sub(name)
if not has_boolean_value(module, name):
module.fail_json(msg="SELinux boolean %s does not exist." % name)
if persistent: if persistent:
changed = semanage_boolean_value(module, name, state) changed = semanage_boolean_value(module, name, state)
else: elif selinux.is_selinux_enabled():
cur_value = get_boolean_value(module, name) cur_value = get_boolean_value(module, name)
if cur_value != state: if cur_value != state:
changed = True changed = True

9
tests/utils/shippable/shippable.sh
View file

@ -62,16 +62,7 @@ else
retry pip install "https://github.com/ansible/ansible/archive/stable-${ansible_version}.tar.gz" --disable-pip-version-check retry pip install "https://github.com/ansible/ansible/archive/stable-${ansible_version}.tar.gz" --disable-pip-version-check
fi fi
if [ "${SHIPPABLE_BUILD_ID:-}" ]; then
export ANSIBLE_COLLECTIONS_PATHS="${HOME}/.ansible"
SHIPPABLE_RESULT_DIR="$(pwd)/shippable"
TEST_DIR="${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/ansible/posix"
mkdir -p "${TEST_DIR}"
cp -aT "${SHIPPABLE_BUILD_DIR}" "${TEST_DIR}"
cd "${TEST_DIR}"
else
export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../" export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../"
fi
# START: HACK install dependencies # START: HACK install dependencies
if [ "${ansible_version}" == "2.9" ] || [ "${ansible_version}" == "2.10" ]; then if [ "${ansible_version}" == "2.9" ] || [ "${ansible_version}" == "2.10" ]; then