|
|
1d7625 |
diff --git a/tasks/main.yml b/tasks/main.yml
|
|
|
1d7625 |
index e10b2f2..7d7479d 100644
|
|
|
1d7625 |
--- a/tasks/main.yml
|
|
|
1d7625 |
+++ b/tasks/main.yml
|
|
|
1d7625 |
@@ -14,9 +14,6 @@
|
|
|
1d7625 |
state: present
|
|
|
1d7625 |
when: ansible_distribution == "Fedora"
|
|
|
1d7625 |
|
|
|
1d7625 |
-- name: Drop all local modifications first
|
|
|
1d7625 |
- shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i -
|
|
|
1d7625 |
-
|
|
|
1d7625 |
- name: Set permanent SELinux mode
|
|
|
1d7625 |
selinux: policy={{ SELinux_type }} state={{ SELinux_mode }}
|
|
|
1d7625 |
when: SELinux_mode is defined
|
|
|
1d7625 |
@@ -25,6 +22,13 @@
|
|
|
1d7625 |
command: /usr/sbin/setenforce {{ SELinux_mode }}
|
|
|
1d7625 |
when: SELinux_mode is defined and SELinux_change_running is defined
|
|
|
1d7625 |
|
|
|
1d7625 |
+- name: Drop all local modifications
|
|
|
1d7625 |
+ shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i -
|
|
|
1d7625 |
+
|
|
|
1d7625 |
+- name: Reload SELinux policy
|
|
|
1d7625 |
+ command: semodule -R
|
|
|
1d7625 |
+ when: ansible_selinux.status != "disabled"
|
|
|
1d7625 |
+
|
|
|
1d7625 |
- name: Set SELinux booleans
|
|
|
1d7625 |
seboolean:
|
|
|
1d7625 |
name: "{{ item.name }}"
|
|
|
1d7625 |
diff --git a/test/selinux.config b/test/selinux.config
|
|
|
1d7625 |
new file mode 100644
|
|
|
1d7625 |
index 0000000..a520b96
|
|
|
1d7625 |
--- /dev/null
|
|
|
1d7625 |
+++ b/test/selinux.config
|
|
|
1d7625 |
@@ -0,0 +1,14 @@
|
|
|
1d7625 |
+
|
|
|
1d7625 |
+# This file controls the state of SELinux on the system.
|
|
|
1d7625 |
+# SELINUX= can take one of these three values:
|
|
|
1d7625 |
+# enforcing - SELinux security policy is enforced.
|
|
|
1d7625 |
+# permissive - SELinux prints warnings instead of enforcing.
|
|
|
1d7625 |
+# disabled - No SELinux policy is loaded.
|
|
|
1d7625 |
+SELINUX=disabled
|
|
|
1d7625 |
+# SELINUXTYPE= can take one of these three values:
|
|
|
1d7625 |
+# targeted - Targeted processes are protected,
|
|
|
1d7625 |
+# minimum - Modification of targeted policy. Only selected processes are protected.
|
|
|
1d7625 |
+# mls - Multi Level Security protection.
|
|
|
1d7625 |
+SELINUXTYPE=targeted
|
|
|
1d7625 |
+
|
|
|
1d7625 |
+
|
|
|
1d7625 |
diff --git a/test/test_selinux_disabled.yml b/test/test_selinux_disabled.yml
|
|
|
1d7625 |
new file mode 100644
|
|
|
1d7625 |
index 0000000..b13bfef
|
|
|
1d7625 |
--- /dev/null
|
|
|
1d7625 |
+++ b/test/test_selinux_disabled.yml
|
|
|
1d7625 |
@@ -0,0 +1,48 @@
|
|
|
1d7625 |
+
|
|
|
1d7625 |
+- name: Ensure the default is targeted, enforcing, without local modifications
|
|
|
1d7625 |
+ hosts: all
|
|
|
1d7625 |
+ become: true
|
|
|
1d7625 |
+ vars:
|
|
|
1d7625 |
+ SELinux_type: targeted
|
|
|
1d7625 |
+ SELinux_mode: enforcing
|
|
|
1d7625 |
+
|
|
|
1d7625 |
+ pre_tasks:
|
|
|
1d7625 |
+ - name: Backup original /etc/selinux/config
|
|
|
1d7625 |
+ copy:
|
|
|
1d7625 |
+ remote_src: true
|
|
|
1d7625 |
+ src: /etc/selinux/config
|
|
|
1d7625 |
+ dest: /etc/selinux/config.test_selinux_disabled
|
|
|
1d7625 |
+ - name: Upload testing /etc/selinux/config
|
|
|
1d7625 |
+ copy:
|
|
|
1d7625 |
+ src: selinux.config
|
|
|
1d7625 |
+ dest: /etc/selinux/config
|
|
|
1d7625 |
+ - name: Switch to permissive to allow login when selinuxfs is not mounted
|
|
|
1d7625 |
+ command: setenforce 0
|
|
|
1d7625 |
+ when: ansible_selinux.status != "disabled"
|
|
|
1d7625 |
+ - name: Get selinuxfs mountpoint
|
|
|
1d7625 |
+ shell: findmnt -n -t selinuxfs --output=target
|
|
|
1d7625 |
+ register: selinux_mountpoint
|
|
|
1d7625 |
+ - name: Umount {{ selinux_mountpoint.stdout }} to emulate SELinux disabled system
|
|
|
1d7625 |
+ command: umount {{ selinux_mountpoint.stdout }}
|
|
|
1d7625 |
+
|
|
|
1d7625 |
+ roles:
|
|
|
1d7625 |
+ - selinux
|
|
|
1d7625 |
+
|
|
|
1d7625 |
+ tasks:
|
|
|
1d7625 |
+ - name: Mount {{ selinux_mountpoint.stdout }} back to system
|
|
|
1d7625 |
+ command: mount -t selinuxfs selinuxfs {{ selinux_mountpoint.stdout }}
|
|
|
1d7625 |
+ - name: Switch back to enforcing
|
|
|
1d7625 |
+ command: setenforce 1
|
|
|
1d7625 |
+ - name: Gather facts again
|
|
|
1d7625 |
+ setup:
|
|
|
1d7625 |
+ - name: Check SELinux config mode
|
|
|
1d7625 |
+ assert:
|
|
|
1d7625 |
+ that: "{{ ansible_selinux.config_mode == 'enforcing' }}"
|
|
|
1d7625 |
+ mgs: "SELinux config mode should be enforcing instead of {{ ansible_selinux.config_mode }}"
|
|
|
1d7625 |
+ - name: Restore original /etc/selinux/config
|
|
|
1d7625 |
+ copy:
|
|
|
1d7625 |
+ remote_src: true
|
|
|
1d7625 |
+ dest: /etc/selinux/config
|
|
|
1d7625 |
+ src: /etc/selinux/config.test_selinux_disabled
|
|
|
1d7625 |
+ - name: Remove /etc/selinux/config backup
|
|
|
1d7625 |
+ command: rm /etc/selinux/config.test_selinux_disabled
|
|
|
1d7625 |
diff --git a/vars/main.yml b/vars/main.yml
|
|
|
1d7625 |
index 74ae42f..4dcb80d 100644
|
|
|
1d7625 |
--- a/vars/main.yml
|
|
|
1d7625 |
+++ b/vars/main.yml
|
|
|
1d7625 |
@@ -1,6 +1,6 @@
|
|
|
1d7625 |
---
|
|
|
1d7625 |
drop_local_modifications: |
|
|
|
1d7625 |
- boolean -D
|
|
|
1d7625 |
- login -D
|
|
|
1d7625 |
- port -D
|
|
|
1d7625 |
- fcontext -D
|
|
|
1d7625 |
+ boolean -D -N
|
|
|
1d7625 |
+ login -D -N
|
|
|
1d7625 |
+ port -D -N
|
|
|
1d7625 |
+ fcontext -D -N
|