Merge pull request #6 from blackstar257/issue-1

Relabel Files Upon Boot
blackstar257 · Nov 8, 2019 · 194daff · 194daff
2 parents de6cf7b + dbb395b
commit 194daff
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -11,10 +11,11 @@ This role requires Ansible 1.4 or higher.
 
 ## Role Variables
 
-| Name           | Default    | Description                                       |
-| -------------- | ---------- | ------------------------------------------------- |
-| selinux_policy | targeted   | SELinux policy type (targeted or mls)             |
-| selinux_state  | permissive | SELinux state (permissive, enforcing or disabled) |
+| Name            | Default    | Description                                       |
+| --------------- | ---------- | ------------------------------------------------- |
+| selinux_policy  | targeted   | SELinux policy type (targeted or mls)             |
+| selinux_state   | permissive | SELinux state (permissive, enforcing or disabled) |
+| selinux_relabel | true       | Auto relabel files upon boot if enabled           |
 
 ## Dependencies
 
@@ -27,7 +28,7 @@ Configure SELinux in permissive mode.
 ```yaml
 - hosts: all
   roles:
-    - { role: blackstar257.selinux }
+    - blackstar257.selinux
 ```
 
 Disable SELinux
@@ -42,12 +43,11 @@ Configure SELinux to use mls policy and enforcing mode
 
 ```yaml
 - hosts: all
+  vars:
+    selinux_policy: mls
+    selinux_state: enforcing
   roles:
-    - {
-        role: blackstar257.selinux,
-        selinux_policy: mls,
-        selinux_state: enforcing,
-      }
+    - blackstar257.selinux
 ```
 
 ## License

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 selinux_policy: targeted
 selinux_state: permissive
+selinux_relabel: true
diff --git a/tasks/rhel.yml b/tasks/rhel.yml
@@ -2,17 +2,34 @@
 - name: Grab facts about packages
   package_facts:
     manager: auto
+  tags: ["selinux"]
 
 - name: Install libselinux-python bindings
   yum:
     name: libselinux-python
     state: present
+  when:
+    - "'libselinux-python' not in ansible_facts.packages"
+    - "'selinux-policy' in ansible_facts.packages"
   tags: ["selinux"]
-  when: "'libselinux-python' not in ansible_facts.packages and 'selinux-policy' in ansible_facts.packages"
 
 - name: Set SELinux policy and state
   selinux:
     policy: "{{ selinux_policy }}"
     state: "{{ selinux_state }}"
-  tags: ["selinux"]
+  register: selinux_status_change
+  changed_when:
+    - selinux_status_change is changed
+    - ansible_selinux.status != 'disabled'
   when: "'selinux-policy' in ansible_facts.packages"
+  tags: ["selinux"]
+
+- name: Auto relabel files upon boot if enabled
+  file:
+    path: /.autorelabel
+    state: touch
+  when:
+    - selinux_status_change is changed
+    - selinux_relabel
+    - selinux_state != 'disabled'
+  tags: ["selinux"]