Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

defined selinux_ports cause error when selinux_state=disabled #188

Closed
goshansp opened this issue Sep 12, 2023 · 2 comments · Fixed by #194
Closed

defined selinux_ports cause error when selinux_state=disabled #188

goshansp opened this issue Sep 12, 2023 · 2 comments · Fixed by #194

Comments

@goshansp
Copy link

Setting selinux_ports will cause the module to fail if selinux_state=disabled. We require to set selinux_ports globally.

Workaround: Setting selinux_ports=[] for all hosts that selinux_state=disabled and hence bloating the inventory.

Is there a way to avoid this without PR?
@goshansp goshansp mentioned this issue Sep 12, 2023
Closed
@bachradsusi
Copy link
Member

"seport" module has "ignore_selinux_state" option:

- ignore_selinux_state
        Run independent of selinux runtime state
        default: false
        type: bool

Using the following change it's possible to set SELinux port mapping on a system with SELinux disabled but with installed "selinux-policy-targeted"

diff --git a/tasks/main.yml b/tasks/main.yml
index f78f8a18ab1e..6da1a674d7e1 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -102,6 +102,7 @@
     setype: "{{ item.setype }}"
     state: "{{ item.state | default('present') }}"
     local: "{{ item.local | default(False) }}"
+    ignore_selinux_state: "{{ selinux_state != 'disabled' }}"
   with_items: "{{ selinux_ports }}"
 
 - name: Set linux user to SELinux user mapping

@bachradsusi
Copy link
Member

ignore_selinux_state: "{{ selinux_state != 'disabled' }}"

this is wrong, correct would be ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"

I'll prepare a patch which will add same option to other modules.

bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Sep 20, 2023
@bachradsusi
Use ignore_selinux_state module option
76fc56a 
It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

Fixes: linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
@bachradsusi bachradsusi mentioned this issue Sep 20, 2023
Merged
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Sep 20, 2023
@bachradsusi
fix: Use ignore_selinux_state module option
6dabe43 
It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

Fixes: linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
@berndfinger berndfinger mentioned this issue Sep 21, 2023
Closed
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Sep 21, 2023
@bachradsusi
fix: Use ignore_selinux_state module option
6acedd2 
It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

It's also necessary to use seboolean module with `persistent: true` when
SELinux is disabled.

Fixes: linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Sep 21, 2023
@bachradsusi
fix: Use ignore_selinux_state module option
d82684c 
It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

It's also necessary to use seboolean module with `persistent: true` when
SELinux is disabled.

Fixes: linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Sep 21, 2023
@bachradsusi
fix: Use ignore_selinux_state module option
1b29f9c 
It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

It's also necessary to use seboolean module with `persistent: true` when
SELinux is disabled.

Fixes: linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Oct 3, 2023
@bachradsusi
fix: Use ignore_selinux_state module option
7e27e0c 
It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

It's also necessary to use seboolean module with `persistent: true` when
SELinux is disabled.

Fixes: linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Oct 4, 2023
@bachradsusi
test: Add modifications in SELinux disabled mode
83acb28 
When targeted SELinux policy is installed it should be possible to setup
SELinux while disabled and before it's changed to permissive/enforcing.

Related to linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
@bachradsusi bachradsusi mentioned this issue Oct 4, 2023
Merged
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Oct 5, 2023
@bachradsusi
fix: Use ignore_selinux_state module option
c682013 
It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

It's also necessary to use seboolean module with `persistent: true` when
SELinux is disabled.

Fixes: linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Oct 10, 2023
@bachradsusi
test: Add modifications in SELinux disabled mode
d7d9b6b 
When targeted SELinux policy is installed it should be possible to setup
SELinux while disabled and before it's changed to permissive/enforcing.

Related to linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
richm pushed a commit that referenced this issue Oct 10, 2023
@bachradsusi @richm
fix: Use ignore_selinux_state module option
57f88cf 
It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

It's also necessary to use seboolean module with `persistent: true` when
SELinux is disabled.

Fixes: #188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
bachradsusi added a commit to bachradsusi/linux-system-roles-selinux that referenced this issue Oct 10, 2023
@bachradsusi
test: Add modifications in SELinux disabled mode
887d1b2 
When targeted SELinux policy is installed it should be possible to setup
SELinux while disabled and before it's changed to permissive/enforcing.

Related to linux-system-roles#188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
richm pushed a commit that referenced this issue Oct 13, 2023
@bachradsusi @richm
test: Add modifications in SELinux disabled mode
55edea4 
When targeted SELinux policy is installed it should be possible to setup
SELinux while disabled and before it's changed to permissive/enforcing.

Related to #188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@goshansp @bachradsusi