selinux
selinux copied to clipboard
linux-system-roles
tests_selinux_disabled.yml incorrectly cleans up to `targeted` policy
Reproducer:
# cp -r /var/lib/selinux/targeted/ /var/lib/selinux/test
# cp -r /etc/selinux/targeted/ /etc/selinux/test
# sed -i 's/=targeted/=test/' /etc/selinux/config
# reboot
# sestatus | grep "policy name"
Loaded policy name: test
# ansible-playbook -i localhost, -c local tests_selinux_disabled.yml >& /dev/null
# sestatus | grep "policy name"
Loaded policy name: targeted
It's caused by https://github.com/linux-system-roles/selinux/blob/main/tests/tests_selinux_disabled.yml#L114
ansible-playbook -i localhost, -c local tests_selinux_disabled.yml
...
TASK [Restore original /etc/selinux/config] ************************************
changed: [localhost] => {"changed": true, "checksum": "90514c9087cde203c82f480b5f3d5a80139d5fd0", "dest": "/etc/selinux/config", "gid": 0, "group": "root", "md5sum": "48f28f6ac7296f4b21bea29c3ed411b3", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:selinux_config_t:s0", "size": 1183, "src": "/etc/selinux/config.test_selinux_disabled", "state": "file", "uid": 0}
at this point, /etc/selinux/config should be restored to pre-test state, but later:
TASK [Include role to purge everything] ****************************************
included: linux-system-roles.selinux for localhost
...
TASK [linux-system-roles.selinux : Set permanent SELinux state if enabled] *****
changed: [localhost] => {"changed": true, "configfile": "/etc/selinux/config", "msg": "Running SELinux policy changed from 'test' to 'targeted', SELinux policy configuration in '/etc/selin
ux/config' changed from 'test' to 'targeted'", "policy": "targeted", "reboot_required": false, "state": "enforcing"}
