ansible.posix icon indicating copy to clipboard operation
ansible.posix copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

selinux module to return current state if no changes requested

Open bluikko opened this issue 3 years ago • 0 comments

SUMMARY

The module ansible.posix.selinux provides the mandatory state parameter for changing SELinux mode.
But there is no way to query the current running or permanent/saved mode. The module could provide an option to just query and return the SELinux mode without changing the configuration.

The module already returns state variable in its return value and this could be used to return the current SELinux mode when not changing the configuration.
Thus implementing this functionality could be done in a way that is backwards compatible and it would not be an invasive change from the user point of view.

There could be various ways of signaling to the selinux module that no change is required and only current status is to be queried, see "Additional information" for a detailed discussion.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

selinux

ADDITIONAL INFORMATION

Currently there seems to be no way to query the SELinux mode without using the ansible.builtin.command module.

The selinux module could provide a way to return the SELinux mode - and also the "policy" name ("targeted", etc.)
The mode can be in two different areas:

  • The current running SELinux mode.
  • The permanent or saved mode in /etc/selinux/config (or other configuration file) that is set on boot.

Providing a way to return either or even both would be useful and reduce the unnecessary use of ansible.builtin.command + manual parsing.
The module already has return values that could be populated when querying the current status: the state and the policy return values.

There could be at least two different options for calling the selinux module to return the state without changing configuration. One of the following options could be chosen:

  1. Make the state parameter optional: if the state parameter is not used then don't change anything and just return the current SELinux state. Would need to choose if this would return the current/running state or the configured/boot-time state.
  2. Additional options for the state parameter: a. If the state parameter is set to (for example) query then return the saved/permanent SELinux configuration. b. If the state parameter is set to (for example) running then return the current running SELinux state.
- name: Check SELinux boot-time state configuration
  ansible.posix.selinux:
    state: query

bluikko avatar Mar 16 '22 04:03 bluikko