seport: add `local` argument #5203

bachradsusi · 2022-08-31T09:57:10Z

Using local: true users can enforce to work only with local policy
modifications. i.e.

# Without `local`, no new modification is added when port already exists
$ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp' localhost

localhost | SUCCESS => {
    "changed": false,
    "ports": [
        "22"
    ],
    "proto": "tcp",
    "setype": "ssh_port_t",
    "state": "present"
}

$ sudo semanage port -l -C

# With `local`, a port is always added/changed in local modification list
$ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp local=true' localhost

localhost | CHANGED => {
    "changed": true,
    "ports": [
        "22"
    ],
    "proto": "tcp",
    "setype": "ssh_port_t",
    "state": "present"
}

$ sudo semanage port -l -C
SELinux Port Type              Proto    Port Number

ssh_port_t                     tcp      22

# With `local`, seport removes the port only from local modifications
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost

localhost | CHANGED => {
    "changed": true,
    "ports": [
        "22"
    ],
    "proto": "tcp",
    "setype": "ssh_port_t",
    "state": "absent"
}

$ sudo semanage port -l -C

# Even though the port is still defined in system policy, the module
# result is success as there's no port local modification
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost

localhost | SUCCESS => {
    "changed": false,
    "ports": [
        "22"
    ],
    "proto": "tcp",
    "setype": "ssh_port_t",
    "state": "absent"
}

# But it fails without `local` as it tries to remove port defined in
# system policy
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp' localhost

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: Port tcp/22 is defined in policy, cannot be deleted
localhost | FAILED! => {
    "changed": false,
    "msg": "ValueError: Port tcp/22 is defined in policy, cannot be deleted\n"
}

Signed-off-by: Petr Lautrbach plautrba@redhat.com

SUMMARY

ISSUE TYPE

Bugfix Pull Request
Docs Pull Request
Feature Pull Request
New Module Pull Request

COMPONENT NAME

ADDITIONAL INFORMATION

ansibullbot · 2022-08-31T10:07:37Z

cc @dankeder
click here for bot help

github-actions · 2022-08-31T10:15:51Z

Docs Build 📝

Thank you for contribution!✨

This PR has been merged and your docs changes will be incorporated when they are next published.

plugins/modules/system/seport.py

felixfontein

Thanks for your contribution! Could you please add a changelog fragment? Thanks.

plugins/modules/system/seport.py

Using `local: true` users can enforce to work only with local policy modifications. i.e. # Without `local`, no new modification is added when port already exists $ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp' localhost localhost | SUCCESS => { "changed": false, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "present" } $ sudo semanage port -l -C # With `local`, a port is always added/changed in local modification list $ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp local=true' localhost localhost | CHANGED => { "changed": true, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "present" } $ sudo semanage port -l -C SELinux Port Type Proto Port Number ssh_port_t tcp 22 # With `local`, seport removes the port only from local modifications $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost localhost | CHANGED => { "changed": true, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "absent" } $ sudo semanage port -l -C # Even though the port is still defined in system policy, the module # result is success as there's no port local modification $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost localhost | SUCCESS => { "changed": false, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "absent" } # But it fails without `local` as it tries to remove port defined in # system policy $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp' localhost An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: Port tcp/22 is defined in policy, cannot be deleted localhost | FAILED! => { "changed": false, "msg": "ValueError: Port tcp/22 is defined in policy, cannot be deleted\n" } Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

bachradsusi · 2022-09-02T08:42:19Z

I believe I've resolved all comments in the latest push.

patchback · 2022-09-03T09:54:01Z

Backport to stable-5: 💚 backport PR created

✅ Backport PR branch: patchback/backports/stable-5/4c52fdb9d91bc4b6293fcf6273d38f24e3b886aa/pr-5203

Backported as #5218

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

felixfontein · 2022-09-03T09:54:08Z

@bachradsusi thanks for implementing this!
@richm thanks for reviewing!

Using `local: true` users can enforce to work only with local policy modifications. i.e. # Without `local`, no new modification is added when port already exists $ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp' localhost localhost | SUCCESS => { "changed": false, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "present" } $ sudo semanage port -l -C # With `local`, a port is always added/changed in local modification list $ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp local=true' localhost localhost | CHANGED => { "changed": true, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "present" } $ sudo semanage port -l -C SELinux Port Type Proto Port Number ssh_port_t tcp 22 # With `local`, seport removes the port only from local modifications $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost localhost | CHANGED => { "changed": true, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "absent" } $ sudo semanage port -l -C # Even though the port is still defined in system policy, the module # result is success as there's no port local modification $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost localhost | SUCCESS => { "changed": false, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "absent" } # But it fails without `local` as it tries to remove port defined in # system policy $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp' localhost An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: Port tcp/22 is defined in policy, cannot be deleted localhost | FAILED! => { "changed": false, "msg": "ValueError: Port tcp/22 is defined in policy, cannot be deleted\n" } Signed-off-by: Petr Lautrbach <plautrba@redhat.com> Signed-off-by: Petr Lautrbach <plautrba@redhat.com> (cherry picked from commit 4c52fdb)

Using `local: true` users can enforce to work only with local policy modifications. i.e. # Without `local`, no new modification is added when port already exists $ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp' localhost localhost | SUCCESS => { "changed": false, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "present" } $ sudo semanage port -l -C # With `local`, a port is always added/changed in local modification list $ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp local=true' localhost localhost | CHANGED => { "changed": true, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "present" } $ sudo semanage port -l -C SELinux Port Type Proto Port Number ssh_port_t tcp 22 # With `local`, seport removes the port only from local modifications $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost localhost | CHANGED => { "changed": true, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "absent" } $ sudo semanage port -l -C # Even though the port is still defined in system policy, the module # result is success as there's no port local modification $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost localhost | SUCCESS => { "changed": false, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "absent" } # But it fails without `local` as it tries to remove port defined in # system policy $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp' localhost An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: Port tcp/22 is defined in policy, cannot be deleted localhost | FAILED! => { "changed": false, "msg": "ValueError: Port tcp/22 is defined in policy, cannot be deleted\n" } Signed-off-by: Petr Lautrbach <plautrba@redhat.com> Signed-off-by: Petr Lautrbach <plautrba@redhat.com> (cherry picked from commit 4c52fdb) Co-authored-by: Petr Lautrbach <plautrba@redhat.com>

Using `local: true` users can enforce to work only with local policy modifications. i.e. # Without `local`, no new modification is added when port already exists $ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp' localhost localhost | SUCCESS => { "changed": false, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "present" } $ sudo semanage port -l -C # With `local`, a port is always added/changed in local modification list $ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp local=true' localhost localhost | CHANGED => { "changed": true, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "present" } $ sudo semanage port -l -C SELinux Port Type Proto Port Number ssh_port_t tcp 22 # With `local`, seport removes the port only from local modifications $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost localhost | CHANGED => { "changed": true, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "absent" } $ sudo semanage port -l -C # Even though the port is still defined in system policy, the module # result is success as there's no port local modification $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost localhost | SUCCESS => { "changed": false, "ports": [ "22" ], "proto": "tcp", "setype": "ssh_port_t", "state": "absent" } # But it fails without `local` as it tries to remove port defined in # system policy $ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp' localhost An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: Port tcp/22 is defined in policy, cannot be deleted localhost | FAILED! => { "changed": false, "msg": "ValueError: Port tcp/22 is defined in policy, cannot be deleted\n" } Signed-off-by: Petr Lautrbach <plautrba@redhat.com> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

bachradsusi mentioned this pull request Aug 31, 2022

WIP - DO NOT MERGE - Allow users to ignore errors when removing built-in policy linux-system-roles/selinux#122

Closed

ansibullbot added bug This issue/PR relates to a bug module module new_contributor Help guide this first time contributor plugins plugin (any type) system traceback labels Aug 31, 2022

richm reviewed Aug 31, 2022

View reviewed changes

plugins/modules/system/seport.py Outdated Show resolved Hide resolved

richm reviewed Aug 31, 2022

View reviewed changes

plugins/modules/system/seport.py Outdated Show resolved Hide resolved

bachradsusi force-pushed the seport-local branch from c1573ff to 26dba2b Compare August 31, 2022 17:40

richm approved these changes Aug 31, 2022

View reviewed changes

felixfontein reviewed Aug 31, 2022

View reviewed changes

plugins/modules/system/seport.py Show resolved Hide resolved

plugins/modules/system/seport.py Outdated Show resolved Hide resolved

plugins/modules/system/seport.py Show resolved Hide resolved

felixfontein added check-before-release PR will be looked at again shortly before release and merged if possible. backport-5 labels Aug 31, 2022

bachradsusi force-pushed the seport-local branch from 26dba2b to 224b936 Compare August 31, 2022 18:22

bachradsusi force-pushed the seport-local branch from 224b936 to b31b652 Compare August 31, 2022 18:31

felixfontein removed the check-before-release PR will be looked at again shortly before release and merged if possible. label Sep 3, 2022

felixfontein merged commit 4c52fdb into ansible-collections:main Sep 3, 2022

patchback bot mentioned this pull request Sep 3, 2022

[PR #5203/4c52fdb9 backport][stable-5] seport: add local argument #5218

Merged

trux-bot bot mentioned this pull request Nov 7, 2022

⬆️ feat(ansible)!: Update community.general to 6.0.0 truxnell/home-cluster#1879

Merged

1 task

This was referenced Dec 1, 2022

chore(deps): update dependency community.general to v6 stephenl03/k3s-cluster#106

Open

chore(deps): update dependency community.general to v6 - autoclosed NilssonCJ/k3s-nsdev-sidious#81

Closed

renovate bot mentioned this pull request Dec 14, 2022

chore(deps): update dependency community.general to v6 - autoclosed sdelrio/homelab-k3s#37

Closed

1 task

renovate bot mentioned this pull request Jan 1, 2023

chore(deps): update dependency community.general to v6 - autoclosed Venoox/k8s-cluster#25

Closed

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

seport: add `local` argument #5203

seport: add `local` argument #5203

bachradsusi commented Aug 31, 2022

ansibullbot commented Aug 31, 2022

github-actions bot commented Aug 31, 2022 •

edited

Loading

felixfontein left a comment

bachradsusi commented Sep 2, 2022

patchback bot commented Sep 3, 2022 •

edited

Loading

felixfontein commented Sep 3, 2022

seport: add local argument #5203

seport: add local argument #5203

Conversation

bachradsusi commented Aug 31, 2022

SUMMARY

ISSUE TYPE

COMPONENT NAME

ADDITIONAL INFORMATION

ansibullbot commented Aug 31, 2022

github-actions bot commented Aug 31, 2022 • edited Loading

Docs Build 📝

felixfontein left a comment

Choose a reason for hiding this comment

bachradsusi commented Sep 2, 2022

patchback bot commented Sep 3, 2022 • edited Loading

Backport to stable-5: 💚 backport PR created

felixfontein commented Sep 3, 2022

seport: add `local` argument #5203

seport: add `local` argument #5203

github-actions bot commented Aug 31, 2022 •

edited

Loading

patchback bot commented Sep 3, 2022 •

edited

Loading