selinux modules don't change SELINUXTYPE when it's not exist in /etc/selinux/config. #23

nfwork01 · 2020-05-05T08:11:26Z

SUMMARY

SELinux moduled does not add new SELINUXTYPE line in /etc/selinux/config when that line does not exits.

ISSUE TYPE

Bug Report

COMPONENT NAME

selinux

ANSIBLE VERSION

ansible 2.9.7                                                                                                                                                                                               python version = 3.8.2 (default, Mar 13 2020, 10:14:16) [GCC 9.3.0]

CONFIGURATION

Ansible tasks

- name: "1.6.1.2 - Ensure the SELinux state is enforcing"
  selinux:
    policy: targeted
    state: enforcing
  register: tmp

# For detailed information, no need for production.
- debug:
    msg: "{{ tmp }}"

/etc/selinux/config

# No SELINUXTYPE setting on the conf file
# selinux module works well when the line exists.
SELINUX=disabled

EXPECTED RESULTS

/etc/selinux/config

SELINUX=enforcing
SELINUXTYPE=targeted

ACTUAL RESULTS

/etc/selinux/config

SELINUX=enforcing

tasks log

TASK [cis_rhel7 : 1.6.1.2 - Ensure the SELinux state is enforcing] [WARNING]: Reboot is required to set SELinux state to 'enforcing'
changed: [10.0.0.129]

TASK [cis_rhel7 : debug] *********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.129] => {
    "msg": {
        "changed": true,
        "configfile": "/etc/selinux/config",
        "failed": false,
        "msg": "SELinux policy configuration in '/etc/selinux/config' changed from 'None' to 'targeted'",
        "policy": "targeted",
        "reboot_required": true,
        "state": "enforcing",
        "warnings": [
            "Reboot is required to set SELinux state to 'enforcing'"
        ]
    }
}

task log says "policy was changed to targeted" but not reflected to the config file.

The text was updated successfully, but these errors were encountered:

Previously the selinux module would only edit the state of found configuration keys SELINUX and SELINUXTYPE in /etc/selinux/config but would not add them with desired state if they were not found. Fixes ansible-collections#23 ansible-collections#23 Signed-off-by: Adam Miller <admiller@redhat.com>

maxamillion · 2020-06-18T21:06:50Z

Fixed here: #52

Previously the selinux module would only edit the state of found configuration keys SELINUX and SELINUXTYPE in /etc/selinux/config but would not add them with desired state if they were not found. Fixes ansible-collections#23 ansible-collections#23 Signed-off-by: Adam Miller <admiller@redhat.com>

maxamillion mentioned this issue Jun 18, 2020

selinux - add missing config keys when needed #52

Merged

ansible-zuul bot closed this as completed in #52 Jun 19, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

selinux modules don't change SELINUXTYPE when it's not exist in /etc/selinux/config. #23

selinux modules don't change SELINUXTYPE when it's not exist in /etc/selinux/config. #23

nfwork01 commented May 5, 2020

maxamillion commented Jun 18, 2020

selinux modules don't change SELINUXTYPE when it's not exist in /etc/selinux/config. #23

selinux modules don't change SELINUXTYPE when it's not exist in /etc/selinux/config. #23

Comments

nfwork01 commented May 5, 2020

SUMMARY

ISSUE TYPE

COMPONENT NAME

ANSIBLE VERSION

CONFIGURATION

EXPECTED RESULTS

ACTUAL RESULTS

maxamillion commented Jun 18, 2020