carroarmato0/ansible.posix
1
0
Fork 0
mirror of https://github.com/ansible-collections/ansible.posix.git synced 2026-01-11 15:15:26 +01:00
Code Issues Projects Releases Packages Wiki Activity
ansible.posix/changelogs/fragments
History
Petr Lautrbach 0a07bdb358
seboolean: make it work with disabled SELinux (#496) 
Sometimes it's necessary to configure SELinux before it's enabled on the
system. There's `ignore_selinux_state` which should allow it. Before
this change `seboolean` module failed on SELinux disabled system even
with `ignore_selinux_state: true` and SELinux policy installed while
`semanage boolean` worked as expected:

    $ ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on ignore_selinux_state=true" all
    192.168.121.153 | FAILED! => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/bin/python3"
        },
        "changed": false,
        "msg": "Failed to get list of boolean names"
    }

    $ ssh root@192.168.121.153 semanage boolean -l | grep ssh_sysadm_login
    ssh_sysadm_login               (off  ,  off)  Allow ssh to sysadm login

It's caused by `selinux.security_get_boolean_names()` and
`selinux.security_get_boolean_active(name)` which required SELinux
enabled system.

This change adds a fallback to semanage API which works in SELinux
disabled system when SELinux targeted policy is installed:

    ANSIBLE_LIBRARY=plugins/modules ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on persistent=true ignore_selinux_state=true" all
    192.168.121.153 | CHANGED => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/bin/python3"
        },
        "changed": true,
        "name": "ssh_sysadm_login",
        "persistent": true,
        "state": true
    }

    $ ssh root@192.168.121.153 semanage boolean -l | grep ssh_sysadm_login
    ssh_sysadm_login               (on   ,   on)  Allow ssh to sysadm login

Note that without `persistent=true` this module is effectively NO-OP now.

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2024-02-06 09:21:27 -06:00
..
.keep Prepare 1.1.1 release 2020-09-02 20:55:04 +00:00
421-remove-deprecation-warning.yml remove deprecated internal argument from synchronize (#421) 2024-01-11 14:24:45 -06:00
460-respawn.yaml respawn firewalld_info module when selinux is missing 2023-05-14 05:44:47 +00:00
466-tests.yml Replace 'include:' with 'include_tasks:'. 2023-05-21 13:17:48 +02:00
477_ci_update.yml Drop Python3.9 and update versions of RHEL,Fedora and FreeBSD for ansible-core:devel 2023-07-04 09:15:24 +09:00
484-firewalld-offline.yml firewalld: make offline do something 2023-11-29 00:06:36 +00:00
487_ci_update.yml Drop OSX10.11 and FreeBSD12.4 from CI 2023-08-02 16:03:19 +09:00
496_seboolean-make-it-wrk-with-SELinux-disabled.yaml seboolean: make it work with disabled SELinux (#496) 2024-02-06 09:21:27 -06:00
504-firewalld_info-warning.yaml Warn only when zones were ignored in firewalld_info (#504) 2024-01-09 16:07:58 -06:00
508_ci_update.yml Refactoring remote and docker CI tests. 2023-11-16 11:56:08 +09:00
510_ci_update.yml Replace Fedora 38 with 39 for devel branch container test 2023-11-22 17:09:41 +09:00
dropping-ansible29.yml refactor to comply with current ansible-lint and sanity guidelines 2023-12-06 17:22:59 -06:00
test-reqs.yml Switch to Ansible Galaxy compatible requirements files for tests. 2023-05-26 08:14:28 +02:00