Handle SELinux properly when it is disabled
This patch skips the `find` task that searches for unlabeled content on systems with SELinux disabled. This fails because labels aren't loaded at that time. The patch also fixed an idempotent test failure that comes from the `selinux` Ansible module repeatedly trying to get SELinux into enforcing mode when it is disabled. Closes-bug: 1649617 Change-Id: I7d30a07bd7e8a4461846660c281b9e53b0783461
This commit is contained in:
Major Hayden
parent
3942b20fb1
commit
3e908d3d7b
@ -26,11 +26,16 @@
|
||||
- high
|
||||
- RHEL-07-020210
|
||||
|
||||
# NOTE(mhayden): The "changed_when" is required here because this task will
|
||||
# always show as changed when SELinux is completely disabled. It's not possible
|
||||
# to switch to permissive/enforcing in an online way when SELinux is completely
|
||||
# disabled at boot time.
|
||||
- name: Ensure SELinux is in enforcing mode on the next reboot
|
||||
selinux:
|
||||
state: enforcing
|
||||
policy: targeted
|
||||
register: selinux_status_change
|
||||
changed_when: selinux_status_change | changed and ansible_selinux.status != 'disabled'
|
||||
when:
|
||||
- ansible_os_family == "RedHat"
|
||||
- security_rhel7_enable_linux_security_module | bool
|
||||
@ -61,6 +66,7 @@
|
||||
check_mode: no
|
||||
when:
|
||||
- ansible_os_family == 'RedHat'
|
||||
- ansible_selinux.status != 'disabled'
|
||||
tags:
|
||||
- lsm
|
||||
- medium
|
||||
|
||||
Loading…
Reference in New Issue
Block a user