cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request #1388 from goozbach/selinux_bugs

Browse source 
make policy only be required if state is not disabled
This commit is contained in:
Michael DeHaan 2012-10-19 16:35:15 -07:00
commit 68cf9a96fc
1 changed files with 23 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
library/selinux
View file

@ -28,8 +28,8 @@ version_added: "0.7"
options: options:
policy: policy:
description: description:
- "name of the SELinux policy to use (example: 'targeted')" - "name of the SELinux policy to use (example: 'targeted') will be required if state is not 'disabled'"
required: true required: false
default: null default: null
state: state:
description: description:
@ -44,11 +44,12 @@ options:
default: "/etc/selinux/config" default: "/etc/selinux/config"
examples: examples:
- code: selinux policy=targeted state=enforcing - code: selinux policy=targeted state=enforcing
- code: selinux policy=targeted state=disabled - code: selinux policy=targeted state=permissive
- code: selinux state=disabled
notes: notes:
- Not tested on any debian based system - Not tested on any debian based system
requirements: [ ] requirements: [ libselinux-python ]
author: Derek Carter author: Derek Carter <goozbach@friocorte.com>
''' '''
import os import os
@ -101,7 +102,7 @@ def set_state(state):
pass pass
else: else:
msg = 'trying to set invalid runtime state %s' % state msg = 'trying to set invalid runtime state %s' % state
fail_json(msg=msg) module.fail_json(msg=msg)
def set_config_policy(policy, configfile): def set_config_policy(policy, configfile):
# edit config file with state value # edit config file with state value
@ -117,11 +118,11 @@ def set_config_policy(policy, configfile):
def main(): def main():
if (not HAVE_SELINUX): if (not HAVE_SELINUX):
fail_json(msg='python-selinux required for this module') module.fail_json(msg='python-selinux required for this module')
module = AnsibleModule( module = AnsibleModule(
argument_spec = dict( argument_spec = dict(
policy=dict(required=True), policy=dict(required=False),
state=dict(choices=['enforcing', 'permissive', 'disabled'], required=True), state=dict(choices=['enforcing', 'permissive', 'disabled'], required=True),
configfile=dict(aliases=['conf','file'], default='/etc/selinux/config') configfile=dict(aliases=['conf','file'], default='/etc/selinux/config')
) )
@ -145,6 +146,14 @@ def main():
config_policy = get_config_policy(configfile) config_policy = get_config_policy(configfile)
config_state = get_config_state(configfile) config_state = get_config_state(configfile)
# check to see if policy is set if state is not 'disabled'
if (state != 'disabled'):
if (policy == '' or policy == None):
module.fail_json(msg='policy is required if state is not \'disabled\'')
else:
if (policy == '' or policy == None):
policy = config_policy
# check changed values and run changes # check changed values and run changes
if (policy != runtime_policy): if (policy != runtime_policy):
# cannot change runtime policy # cannot change runtime policy
@ -158,10 +167,13 @@ def main():
if (state != runtime_state): if (state != runtime_state):
if (state == 'disabled'): if (state == 'disabled'):
msgs.append('disabled state will take effect next reboot') msgs.append('state change will take effect next reboot')
else: else:
msgs.append('runtime state changed from \'%s\' to \'%s\'' % (runtime_state, state)) if (runtime_enabled):
set_state(state) set_state(state)
msgs.append('runtime state changed from \'%s\' to \'%s\'' % (runtime_state, state))
else:
msgs.append('state change will take effect next reboot')
changed=True changed=True
if (state != config_state): if (state != config_state):