Add new param "ignore_selinux_state" to seport, sefcontext, seboolean (#48945)
This commit is contained in:
Thiago Ribeiro
Sam Doran
parent
4746781423
commit
04b381b28a
3 changed files with 42 additions and 3 deletions
|
|
@ -32,6 +32,12 @@ options:
|
||||||
- Desired boolean value
|
- Desired boolean value
|
||||||
type: bool
|
type: bool
|
||||||
required: true
|
required: true
|
||||||
|
ignore_selinux_state:
|
||||||
|
description:
|
||||||
|
- Useful for scenarios (chrooted environment) that you can't get the real SELinux state.
|
||||||
|
type: bool
|
||||||
|
default: false
|
||||||
|
version_added: '2.8'
|
||||||
notes:
|
notes:
|
||||||
- Not tested on any Debian based system.
|
- Not tested on any Debian based system.
|
||||||
requirements:
|
requirements:
|
||||||
|
|
@ -68,6 +74,10 @@ from ansible.module_utils.six import binary_type
|
||||||
from ansible.module_utils._text import to_bytes, to_text
|
from ansible.module_utils._text import to_bytes, to_text
|
||||||
|
|
||||||
|
|
||||||
|
def get_runtime_status(ignore_selinux_state=False):
|
||||||
|
return True if ignore_selinux_state is True else selinux.is_selinux_enabled()
|
||||||
|
|
||||||
|
|
||||||
def has_boolean_value(module, name):
|
def has_boolean_value(module, name):
|
||||||
bools = []
|
bools = []
|
||||||
try:
|
try:
|
||||||
|
|
@ -260,6 +270,7 @@ def set_boolean_value(module, name, state):
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
|
ignore_selinux_state=dict(type='bool', default=False),
|
||||||
name=dict(type='str', required=True),
|
name=dict(type='str', required=True),
|
||||||
persistent=dict(type='bool', default=False),
|
persistent=dict(type='bool', default=False),
|
||||||
state=dict(type='bool', required=True),
|
state=dict(type='bool', required=True),
|
||||||
|
|
@ -273,7 +284,9 @@ def main():
|
||||||
if not HAVE_SEMANAGE:
|
if not HAVE_SEMANAGE:
|
||||||
module.fail_json(msg="This module requires libsemanage-python support")
|
module.fail_json(msg="This module requires libsemanage-python support")
|
||||||
|
|
||||||
if not selinux.is_selinux_enabled():
|
ignore_selinux_state = module.params['ignore_selinux_state']
|
||||||
|
|
||||||
|
if not get_runtime_status(ignore_selinux_state):
|
||||||
module.fail_json(msg="SELinux is disabled on this host.")
|
module.fail_json(msg="SELinux is disabled on this host.")
|
||||||
|
|
||||||
name = module.params['name']
|
name = module.params['name']
|
||||||
|
|
|
||||||
|
|
@ -64,6 +64,12 @@ options:
|
||||||
- Note that this does not apply SELinux file contexts to existing files.
|
- Note that this does not apply SELinux file contexts to existing files.
|
||||||
type: bool
|
type: bool
|
||||||
default: 'yes'
|
default: 'yes'
|
||||||
|
ignore_selinux_state:
|
||||||
|
description:
|
||||||
|
- Useful for scenarios (chrooted environment) that you can't get the real SELinux state.
|
||||||
|
type: bool
|
||||||
|
default: false
|
||||||
|
version_added: '2.8'
|
||||||
notes:
|
notes:
|
||||||
- The changes are persistent across reboots.
|
- The changes are persistent across reboots.
|
||||||
- The M(sefcontext) module does not modify existing files to the new
|
- The M(sefcontext) module does not modify existing files to the new
|
||||||
|
|
@ -137,6 +143,10 @@ option_to_file_type_str = dict(
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def get_runtime_status(ignore_selinux_state=False):
|
||||||
|
return True if ignore_selinux_state is True else selinux.is_selinux_enabled()
|
||||||
|
|
||||||
|
|
||||||
def semanage_fcontext_exists(sefcontext, target, ftype):
|
def semanage_fcontext_exists(sefcontext, target, ftype):
|
||||||
''' Get the SELinux file context mapping definition from policy. Return None if it does not exist. '''
|
''' Get the SELinux file context mapping definition from policy. Return None if it does not exist. '''
|
||||||
|
|
||||||
|
|
@ -235,6 +245,7 @@ def semanage_fcontext_delete(module, result, target, ftype, do_reload, sestore='
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
|
ignore_selinux_state=dict(type='bool', default=False),
|
||||||
target=dict(required=True, aliases=['path']),
|
target=dict(required=True, aliases=['path']),
|
||||||
ftype=dict(type='str', default='a', choices=option_to_file_type_str.keys()),
|
ftype=dict(type='str', default='a', choices=option_to_file_type_str.keys()),
|
||||||
setype=dict(type='str', required=True),
|
setype=dict(type='str', required=True),
|
||||||
|
|
@ -251,7 +262,9 @@ def main():
|
||||||
if not HAVE_SEOBJECT:
|
if not HAVE_SEOBJECT:
|
||||||
module.fail_json(msg="This module requires policycoreutils-python")
|
module.fail_json(msg="This module requires policycoreutils-python")
|
||||||
|
|
||||||
if not selinux.is_selinux_enabled():
|
ignore_selinux_state = module.params['ignore_selinux_state']
|
||||||
|
|
||||||
|
if not get_runtime_status(ignore_selinux_state):
|
||||||
module.fail_json(msg="SELinux is disabled on this host.")
|
module.fail_json(msg="SELinux is disabled on this host.")
|
||||||
|
|
||||||
target = module.params['target']
|
target = module.params['target']
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,12 @@ options:
|
||||||
- Reload SELinux policy after commit.
|
- Reload SELinux policy after commit.
|
||||||
type: bool
|
type: bool
|
||||||
default: 'yes'
|
default: 'yes'
|
||||||
|
ignore_selinux_state:
|
||||||
|
description:
|
||||||
|
- Run independent of selinux runtime state
|
||||||
|
type: bool
|
||||||
|
default: false
|
||||||
|
version_added: '2.8'
|
||||||
notes:
|
notes:
|
||||||
- The changes are persistent across reboots.
|
- The changes are persistent across reboots.
|
||||||
- Not tested on any debian based system.
|
- Not tested on any debian based system.
|
||||||
|
|
@ -102,6 +108,10 @@ from ansible.module_utils.basic import AnsibleModule, HAVE_SELINUX
|
||||||
from ansible.module_utils._text import to_native
|
from ansible.module_utils._text import to_native
|
||||||
|
|
||||||
|
|
||||||
|
def get_runtime_status(ignore_selinux_state=False):
|
||||||
|
return True if ignore_selinux_state is True else selinux.is_selinux_enabled()
|
||||||
|
|
||||||
|
|
||||||
def semanage_port_get_ports(seport, setype, proto):
|
def semanage_port_get_ports(seport, setype, proto):
|
||||||
""" Get the list of ports that have the specified type definition.
|
""" Get the list of ports that have the specified type definition.
|
||||||
|
|
||||||
|
|
@ -240,6 +250,7 @@ def semanage_port_del(module, ports, proto, setype, do_reload, sestore=''):
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
|
ignore_selinux_state=dict(type='bool', default=False),
|
||||||
ports=dict(type='list', required=True),
|
ports=dict(type='list', required=True),
|
||||||
proto=dict(type='str', required=True, choices=['tcp', 'udp']),
|
proto=dict(type='str', required=True, choices=['tcp', 'udp']),
|
||||||
setype=dict(type='str', required=True),
|
setype=dict(type='str', required=True),
|
||||||
|
|
@ -255,7 +266,9 @@ def main():
|
||||||
if not HAVE_SEOBJECT:
|
if not HAVE_SEOBJECT:
|
||||||
module.fail_json(msg="This module requires policycoreutils-python")
|
module.fail_json(msg="This module requires policycoreutils-python")
|
||||||
|
|
||||||
if not selinux.is_selinux_enabled():
|
ignore_selinux_state = module.params['ignore_selinux_state']
|
||||||
|
|
||||||
|
if not get_runtime_status(ignore_selinux_state):
|
||||||
module.fail_json(msg="SELinux is disabled on this host.")
|
module.fail_json(msg="SELinux is disabled on this host.")
|
||||||
|
|
||||||
ports = module.params['ports']
|
ports = module.params['ports']
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue