From 26a848d37681f4113ceeb15f15315c3cc04584d9 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Wed, 24 Aug 2022 15:56:25 -0600 Subject: [PATCH] Allow users to ignore errors when removing built-in policy If you attempt to remove built-in policy, you will get an error like this: ``` Port tcp/NNNN is defined in policy, cannot be deleted ``` If you want to have the role ignore errors like this, use `selinux_ignore_builtin_removal: true` --- README.md | 27 +++++++++++++++++++++++++++ defaults/main.yml | 4 ++++ tasks/main.yml | 8 ++++++++ tests/tests_port.yml | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 73 insertions(+) diff --git a/README.md b/README.md index f1aee98..abde0d9 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,33 @@ i.e. on the oldest system. **Note:** Module priorities are ignored in Red Hat Enterprise Linux 6 +#### Ignore errors when attempting to remove built-in policy + +If you attempt to remove built-in policy, you will get an error like this: +``` +include_role: + name: linux-system-roles.selinux +vars: + selinux_ports: + - { ports: '20514', proto: 'tcp', setype: 'syslogd_port_t', + state: 'absent' } +... +Port tcp/20514 is defined in policy, cannot be deleted +``` +If you want the role to ignore errors like this, use `selinux_ignore_builtin_removal: true` +``` +include_role: + name: linux-system-roles.selinux +vars: + selinux_ignore_builtin_removal: true + selinux_ports: + - { ports: '20514', proto: 'tcp', setype: 'syslogd_port_t', + state: 'absent' } +... +ok +``` +The default value is `false`. + ## Ansible Facts ### selinux\_reboot\_required diff --git a/defaults/main.yml b/defaults/main.yml index 03d10a2..2c01677 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,3 +15,7 @@ selinux_booleans_purge: no selinux_fcontexts_purge: no selinux_ports_purge: no selinux_logins_purge: no + +# If this is set, ignore errors when attempting +# to remove built-in policy +selinux_ignore_builtin_removal: false diff --git a/tasks/main.yml b/tasks/main.yml index 020a6e3..5c29f9b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -94,6 +94,14 @@ setype: "{{ item.setype }}" state: "{{ item.state | default('present') }}" with_items: "{{ selinux_ports }}" + register: __selinux_port_result + failed_when: + - __selinux_port_result is failed + - not (__selinux_port_result.msg is search(__pat) and + selinux_ignore_builtin_removal) + vars: + __pat: Port .* is defined in policy, cannot be deleted + - name: Set linux user to SELinux user mapping selogin: diff --git a/tests/tests_port.yml b/tests/tests_port.yml index 81f8bf7..bc9e95a 100644 --- a/tests/tests_port.yml +++ b/tests/tests_port.yml @@ -63,6 +63,40 @@ assert: that: "{{ port_before == port_after }}" + - name: Catch error when removing built-in policy + block: + - name: Try to remove a built-in port policy + include_role: + name: linux-system-roles.selinux + vars: + selinux_ports: + - { ports: '20514', proto: 'tcp', setype: 'syslogd_port_t', + state: 'absent' } + - { ports: '22022', proto: 'tcp', setype: 'ssh_port_t', + state: 'absent' } + + - name: Unreachable task + fail: + msg: UNREACHABLE + rescue: + - name: Check the error + assert: + that: ansible_failed_result.results | selectattr('msg', 'defined') | + map(attribute='msg') | select('search', __pat) | length > 0 + vars: + __pat: Port tcp/20514 is defined in policy, cannot be deleted + + - name: Ignore errors when removing built-in policy + include_role: + name: linux-system-roles.selinux + vars: + selinux_ports: + - { ports: '20514', proto: 'tcp', setype: 'syslogd_port_t', + state: 'absent' } + - { ports: '22022', proto: 'tcp', setype: 'ssh_port_t', + state: 'absent' } + selinux_ignore_builtin_removal: true + - include_role: name: linux-system-roles.selinux vars: