Allow users to ignore errors when removing built-in policy

If you attempt to remove built-in policy, you will get an error like this:
```
Port tcp/NNNN is defined in policy, cannot be deleted
```
If you want to have the role ignore errors like this, use
`selinux_ignore_builtin_removal: true`

README.md

@@ -156,6 +156,33 @@ i.e. on the oldest system.
 
 **Note:** Module priorities are ignored in Red Hat Enterprise Linux 6
 
+#### Ignore errors when attempting to remove built-in policy
+
+If you attempt to remove built-in policy, you will get an error like this:
+```
+include_role:
+  name: linux-system-roles.selinux
+vars:
+  selinux_ports:
+    - { ports: '20514', proto: 'tcp', setype: 'syslogd_port_t',
+        state: 'absent' }
+...
+Port tcp/20514 is defined in policy, cannot be deleted
+```
+If you want the role to ignore errors like this, use `selinux_ignore_builtin_removal: true`
+```
+include_role:
+  name: linux-system-roles.selinux
+vars:
+  selinux_ignore_builtin_removal: true
+  selinux_ports:
+    - { ports: '20514', proto: 'tcp', setype: 'syslogd_port_t',
+        state: 'absent' }
+...
+ok
+```
+The default value is `false`.
+
 ## Ansible Facts
 
 ### selinux\_reboot\_required

defaults/main.yml

@@ -15,3 +15,7 @@ selinux_booleans_purge: no
 selinux_fcontexts_purge: no
 selinux_ports_purge: no
 selinux_logins_purge: no
+
+# If this is set, ignore errors when attempting
+# to remove built-in policy
+selinux_ignore_builtin_removal: false

tasks/main.yml

@@ -94,6 +94,14 @@
     setype: "{{ item.setype }}"
     state: "{{ item.state | default('present') }}"
   with_items: "{{ selinux_ports }}"
+  register: __selinux_port_result
+  failed_when:
+    - __selinux_port_result is failed
+    - not (__selinux_port_result.msg is search(__pat) and
+           selinux_ignore_builtin_removal)
+  vars:
+    __pat: Port .* is defined in policy, cannot be deleted
+
 
 - name: Set linux user to SELinux user mapping
   selogin:

tests/tests_port.yml

@@ -63,6 +63,40 @@
       assert:
         that: "{{ port_before == port_after }}"
 
+    - name: Catch error when removing built-in policy
+      block:
+        - name: Try to remove a built-in port policy
+          include_role:
+            name: linux-system-roles.selinux
+          vars:
+            selinux_ports:
+              - { ports: '20514', proto: 'tcp', setype: 'syslogd_port_t',
+                  state: 'absent' }
+              - { ports: '22022', proto: 'tcp', setype: 'ssh_port_t',
+                  state: 'absent' }
+
+        - name: Unreachable task
+          fail:
+            msg: UNREACHABLE
+      rescue:
+        - name: Check the error
+          assert:
+            that: ansible_failed_result.results | selectattr('msg', 'defined') |
+              map(attribute='msg') | select('search', __pat) | length > 0
+          vars:
+            __pat: Port tcp/20514 is defined in policy, cannot be deleted
+
+    - name: Ignore errors when removing built-in policy
+      include_role:
+        name: linux-system-roles.selinux
+      vars:
+        selinux_ports:
+          - { ports: '20514', proto: 'tcp', setype: 'syslogd_port_t',
+              state: 'absent' }
+          - { ports: '22022', proto: 'tcp', setype: 'ssh_port_t',
+              state: 'absent' }
+        selinux_ignore_builtin_removal: true
+
     - include_role:
         name: linux-system-roles.selinux
       vars: