Merge pull request #1388 from goozbach/selinux_bugs
make policy only be required if state is not disabled
This commit is contained in:
commit
68cf9a96fc
1 changed files with 23 additions and 11 deletions
|
@ -28,8 +28,8 @@ version_added: "0.7"
|
||||||
options:
|
options:
|
||||||
policy:
|
policy:
|
||||||
description:
|
description:
|
||||||
- "name of the SELinux policy to use (example: 'targeted')"
|
- "name of the SELinux policy to use (example: 'targeted') will be required if state is not 'disabled'"
|
||||||
required: true
|
required: false
|
||||||
default: null
|
default: null
|
||||||
state:
|
state:
|
||||||
description:
|
description:
|
||||||
|
@ -44,11 +44,12 @@ options:
|
||||||
default: "/etc/selinux/config"
|
default: "/etc/selinux/config"
|
||||||
examples:
|
examples:
|
||||||
- code: selinux policy=targeted state=enforcing
|
- code: selinux policy=targeted state=enforcing
|
||||||
- code: selinux policy=targeted state=disabled
|
- code: selinux policy=targeted state=permissive
|
||||||
|
- code: selinux state=disabled
|
||||||
notes:
|
notes:
|
||||||
- Not tested on any debian based system
|
- Not tested on any debian based system
|
||||||
requirements: [ ]
|
requirements: [ libselinux-python ]
|
||||||
author: Derek Carter
|
author: Derek Carter <goozbach@friocorte.com>
|
||||||
'''
|
'''
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
@ -101,7 +102,7 @@ def set_state(state):
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
msg = 'trying to set invalid runtime state %s' % state
|
msg = 'trying to set invalid runtime state %s' % state
|
||||||
fail_json(msg=msg)
|
module.fail_json(msg=msg)
|
||||||
|
|
||||||
def set_config_policy(policy, configfile):
|
def set_config_policy(policy, configfile):
|
||||||
# edit config file with state value
|
# edit config file with state value
|
||||||
|
@ -117,11 +118,11 @@ def set_config_policy(policy, configfile):
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
if (not HAVE_SELINUX):
|
if (not HAVE_SELINUX):
|
||||||
fail_json(msg='python-selinux required for this module')
|
module.fail_json(msg='python-selinux required for this module')
|
||||||
|
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec = dict(
|
argument_spec = dict(
|
||||||
policy=dict(required=True),
|
policy=dict(required=False),
|
||||||
state=dict(choices=['enforcing', 'permissive', 'disabled'], required=True),
|
state=dict(choices=['enforcing', 'permissive', 'disabled'], required=True),
|
||||||
configfile=dict(aliases=['conf','file'], default='/etc/selinux/config')
|
configfile=dict(aliases=['conf','file'], default='/etc/selinux/config')
|
||||||
)
|
)
|
||||||
|
@ -145,6 +146,14 @@ def main():
|
||||||
config_policy = get_config_policy(configfile)
|
config_policy = get_config_policy(configfile)
|
||||||
config_state = get_config_state(configfile)
|
config_state = get_config_state(configfile)
|
||||||
|
|
||||||
|
# check to see if policy is set if state is not 'disabled'
|
||||||
|
if (state != 'disabled'):
|
||||||
|
if (policy == '' or policy == None):
|
||||||
|
module.fail_json(msg='policy is required if state is not \'disabled\'')
|
||||||
|
else:
|
||||||
|
if (policy == '' or policy == None):
|
||||||
|
policy = config_policy
|
||||||
|
|
||||||
# check changed values and run changes
|
# check changed values and run changes
|
||||||
if (policy != runtime_policy):
|
if (policy != runtime_policy):
|
||||||
# cannot change runtime policy
|
# cannot change runtime policy
|
||||||
|
@ -158,10 +167,13 @@ def main():
|
||||||
|
|
||||||
if (state != runtime_state):
|
if (state != runtime_state):
|
||||||
if (state == 'disabled'):
|
if (state == 'disabled'):
|
||||||
msgs.append('disabled state will take effect next reboot')
|
msgs.append('state change will take effect next reboot')
|
||||||
else:
|
else:
|
||||||
msgs.append('runtime state changed from \'%s\' to \'%s\'' % (runtime_state, state))
|
if (runtime_enabled):
|
||||||
set_state(state)
|
set_state(state)
|
||||||
|
msgs.append('runtime state changed from \'%s\' to \'%s\'' % (runtime_state, state))
|
||||||
|
else:
|
||||||
|
msgs.append('state change will take effect next reboot')
|
||||||
changed=True
|
changed=True
|
||||||
|
|
||||||
if (state != config_state):
|
if (state != config_state):
|
||||||
|
|
Loading…
Reference in a new issue