Added setting of seuser and selevel for completeness (#108)

Added setting of seuser and selevel for completeness See Issue #106 "RFE: Support for setting seuser in selinux_fcontexts" #106 Added explanation of seuser and selevel parameters Added -F flag to restorecon to force reset See "man restorecon" for more detail on -F flag Authored-by: Benjamin Blasco <bblasco@redhat.com>
linux-system-roles · Jul 28, 2022 · 2dcf33c · 2dcf33c
1 parent 8363bc9
commit 2dcf33c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -100,6 +100,9 @@ selinux_booleans:
 selinux_fcontexts:
   - { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd', state: 'present' }
 ```
+Users may also pass the following optional parameters:
+- `seuser`: to set the SELinux user
+- `selevel`: to set the MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range.
 
 Individual modifications can be dropped by setting `state` to `absent`.
 

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -69,17 +69,18 @@
     setype: "{{ item.setype }}"
     ftype: "{{ item.ftype | default('a') }}"
     state: "{{ item.state | default('present') }}"
-    # FIXME: selevel, seuser
+    selevel: "{{ item.selevel | default(omit) }}"
+    seuser: "{{ item.seuser | default(omit) }}"
   with_items: "{{ selinux_fcontexts }}"
 
 - name: Restore SELinux labels on filesystem tree
-  command: /sbin/restorecon -R -v {{ item }}
+  command: /sbin/restorecon -R -F -v {{ item }}
   with_items: "{{ selinux_restore_dirs }}"
   register: restorecon_cmd
   changed_when: '"Relabeled" in restorecon_cmd.stdout'
 
 - name: Restore SELinux labels on filesystem tree in check mode
-  command: /sbin/restorecon -R -v -n {{ item }}
+  command: /sbin/restorecon -R -F -v -n {{ item }}
   with_items: "{{ selinux_restore_dirs }}"
   register: restorecon_cmd
   changed_when: '"Would relabel" in restorecon_cmd.stdout'