validations-common/validations_common/roles/check_selinux_mode/tasks/main.yml

---
- name: Get current SELinux mode
  command: getenforce
  become: true
  register: sestatus
  changed_when: false

- name: Fail if SELinux is not in Enforced mode (RHEL)
  fail:
    msg: >-
      SELinux is running in {{ sestatus.stdout }} mode on the Undercloud.
      Ensure that SELinux is enabled and running in Enforcing mode.      
  when:
    - "sestatus.stdout != 'Enforcing'"
    - "ansible_distribution == 'RedHat'"

- name: Warn if SELinux is not in Enforced mode (CentOS)
  warn:
    msg: >-
      SELinux is running in {{ sestatus.stdout }} mode on the Undercloud.
      Ensure that SELinux is enabled and running in Enforcing mode.      
  when:
    - "sestatus.stdout != 'Enforcing'"
    - "ansible_distribution == 'CentOS'"