Use ignore_selinux_state module option

It is possible to configure SELinux on nodes with SELinux disabled before they're switch to permissive/enforcing. The only requirement is that targeted SELinux policy (or a policy configured in /etc/selinux/config) needs to be installed. Fixes: #188 Signed-off-by: Petr Lautrbach <[email protected]>
linux-system-roles · Sep 20, 2023 · 76fc56a · 76fc56a
1 parent 312b327
commit 76fc56a
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -69,6 +69,7 @@
     name: "{{ item.name }}"
     state: "{{ item.state }}"
     persistent: "{{ item.persistent | default('no') }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_booleans }}"
 
 - name: Set SELinux file contexts
@@ -79,6 +80,7 @@
     state: "{{ item.state | default('present') }}"
     selevel: "{{ item.selevel | default(omit) }}"
     seuser: "{{ item.seuser | default(omit) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_fcontexts }}"
 
 - name: Restore SELinux labels on filesystem tree
@@ -102,6 +104,7 @@
     setype: "{{ item.setype }}"
     state: "{{ item.state | default('present') }}"
     local: "{{ item.local | default(False) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_ports }}"
 
 - name: Set linux user to SELinux user mapping
@@ -111,6 +114,7 @@
     serange: "{{ item.serange | default('s0') }}"
     state: "{{ item.state | default('present') }}"
     reload: "{{ item.reload | default(False) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_logins }}"
   notify: __selinux_reload_policy