diff --git a/tasks/main.yml b/tasks/main.yml
index e10b2f2..7d7479d 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -14,9 +14,6 @@
state: present
when: ansible_distribution == "Fedora"
-- name: Drop all local modifications first
- shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i -
-
- name: Set permanent SELinux mode
selinux: policy={{ SELinux_type }} state={{ SELinux_mode }}
when: SELinux_mode is defined
@@ -25,6 +22,13 @@
command: /usr/sbin/setenforce {{ SELinux_mode }}
when: SELinux_mode is defined and SELinux_change_running is defined
+- name: Drop all local modifications
+ shell: echo "{{drop_local_modifications}}" | /usr/sbin/semanage -i -
+
+- name: Reload SELinux policy
+ command: semodule -R
+ when: ansible_selinux.status != "disabled"
+
- name: Set SELinux booleans
seboolean:
name: "{{ item.name }}"
diff --git a/test/selinux.config b/test/selinux.config
new file mode 100644
index 0000000..a520b96
--- /dev/null
+++ b/test/selinux.config
@@ -0,0 +1,14 @@
+
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=disabled
+# SELINUXTYPE= can take one of these three values:
+# targeted - Targeted processes are protected,
+# minimum - Modification of targeted policy. Only selected processes are protected.
+# mls - Multi Level Security protection.
+SELINUXTYPE=targeted
+
+
diff --git a/test/test_selinux_disabled.yml b/test/test_selinux_disabled.yml
new file mode 100644
index 0000000..b13bfef
--- /dev/null
+++ b/test/test_selinux_disabled.yml
@@ -0,0 +1,48 @@
+
+- name: Ensure the default is targeted, enforcing, without local modifications
+ hosts: all
+ become: true
+ vars:
+ SELinux_type: targeted
+ SELinux_mode: enforcing
+
+ pre_tasks:
+ - name: Backup original /etc/selinux/config
+ copy:
+ remote_src: true
+ src: /etc/selinux/config
+ dest: /etc/selinux/config.test_selinux_disabled
+ - name: Upload testing /etc/selinux/config
+ copy:
+ src: selinux.config
+ dest: /etc/selinux/config
+ - name: Switch to permissive to allow login when selinuxfs is not mounted
+ command: setenforce 0
+ when: ansible_selinux.status != "disabled"
+ - name: Get selinuxfs mountpoint
+ shell: findmnt -n -t selinuxfs --output=target
+ register: selinux_mountpoint
+ - name: Umount {{ selinux_mountpoint.stdout }} to emulate SELinux disabled system
+ command: umount {{ selinux_mountpoint.stdout }}
+
+ roles:
+ - selinux
+
+ tasks:
+ - name: Mount {{ selinux_mountpoint.stdout }} back to system
+ command: mount -t selinuxfs selinuxfs {{ selinux_mountpoint.stdout }}
+ - name: Switch back to enforcing
+ command: setenforce 1
+ - name: Gather facts again
+ setup:
+ - name: Check SELinux config mode
+ assert:
+ that: "{{ ansible_selinux.config_mode == 'enforcing' }}"
+ mgs: "SELinux config mode should be enforcing instead of {{ ansible_selinux.config_mode }}"
+ - name: Restore original /etc/selinux/config
+ copy:
+ remote_src: true
+ dest: /etc/selinux/config
+ src: /etc/selinux/config.test_selinux_disabled
+ - name: Remove /etc/selinux/config backup
+ command: rm /etc/selinux/config.test_selinux_disabled
diff --git a/vars/main.yml b/vars/main.yml
index 74ae42f..4dcb80d 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,6 +1,6 @@
---
drop_local_modifications: |
- boolean -D
- login -D
- port -D
- fcontext -D
+ boolean -D -N
+ login -D -N
+ port -D -N
+ fcontext -D -N