2020-03-09 10:11:07 +01:00
|
|
|
#!/usr/bin/python
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
2022-08-05 12:28:29 +02:00
|
|
|
# Copyright (c) 2015, Michael Scherer <misc@zarb.org>
|
2020-03-09 10:11:07 +01:00
|
|
|
# inspired by code of github.com/dandiker/
|
2022-08-05 12:28:29 +02:00
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
DOCUMENTATION = r'''
|
|
|
|
---
|
|
|
|
module: selinux_permissive
|
|
|
|
short_description: Change permissive domain in SELinux policy
|
|
|
|
description:
|
|
|
|
- Add and remove a domain from the list of permissive domains.
|
2023-02-20 17:28:47 +01:00
|
|
|
extends_documentation_fragment:
|
|
|
|
- community.general.attributes
|
|
|
|
attributes:
|
|
|
|
check_mode:
|
|
|
|
support: full
|
|
|
|
diff_mode:
|
|
|
|
support: none
|
2020-03-09 10:11:07 +01:00
|
|
|
options:
|
|
|
|
domain:
|
|
|
|
description:
|
|
|
|
- The domain that will be added or removed from the list of permissive domains.
|
|
|
|
type: str
|
|
|
|
required: true
|
|
|
|
aliases: [ name ]
|
|
|
|
permissive:
|
|
|
|
description:
|
|
|
|
- Indicate if the domain should or should not be set as permissive.
|
|
|
|
type: bool
|
|
|
|
required: true
|
|
|
|
no_reload:
|
|
|
|
description:
|
|
|
|
- Disable reloading of the SELinux policy after making change to a domain's permissive setting.
|
2022-08-24 19:59:01 +02:00
|
|
|
- The default is C(false), which causes policy to be reloaded when a domain changes state.
|
2020-03-09 10:11:07 +01:00
|
|
|
- Reloading the policy does not work on older versions of the C(policycoreutils-python) library, for example in EL 6."
|
|
|
|
type: bool
|
2022-08-24 19:59:01 +02:00
|
|
|
default: false
|
2020-03-09 10:11:07 +01:00
|
|
|
store:
|
|
|
|
description:
|
|
|
|
- Name of the SELinux policy store to use.
|
|
|
|
type: str
|
2022-11-01 19:25:51 +01:00
|
|
|
default: ''
|
2020-03-09 10:11:07 +01:00
|
|
|
notes:
|
|
|
|
- Requires a recent version of SELinux and C(policycoreutils-python) (EL 6 or newer).
|
|
|
|
requirements: [ policycoreutils-python ]
|
|
|
|
author:
|
|
|
|
- Michael Scherer (@mscherer) <misc@zarb.org>
|
|
|
|
'''
|
|
|
|
|
|
|
|
EXAMPLES = r'''
|
|
|
|
- name: Change the httpd_t domain to permissive
|
2020-07-13 21:50:31 +02:00
|
|
|
community.general.selinux_permissive:
|
2020-03-09 10:11:07 +01:00
|
|
|
name: httpd_t
|
|
|
|
permissive: true
|
|
|
|
'''
|
|
|
|
|
|
|
|
import traceback
|
|
|
|
|
|
|
|
HAVE_SEOBJECT = False
|
|
|
|
SEOBJECT_IMP_ERR = None
|
|
|
|
try:
|
|
|
|
import seobject
|
|
|
|
HAVE_SEOBJECT = True
|
|
|
|
except ImportError:
|
|
|
|
SEOBJECT_IMP_ERR = traceback.format_exc()
|
|
|
|
|
|
|
|
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
|
2021-06-26 23:59:11 +02:00
|
|
|
from ansible.module_utils.common.text.converters import to_native
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
module = AnsibleModule(
|
|
|
|
argument_spec=dict(
|
|
|
|
domain=dict(type='str', required=True, aliases=['name']),
|
|
|
|
store=dict(type='str', default=''),
|
|
|
|
permissive=dict(type='bool', required=True),
|
|
|
|
no_reload=dict(type='bool', default=False),
|
|
|
|
),
|
|
|
|
supports_check_mode=True,
|
|
|
|
)
|
|
|
|
|
|
|
|
# global vars
|
|
|
|
changed = False
|
|
|
|
store = module.params['store']
|
|
|
|
permissive = module.params['permissive']
|
|
|
|
domain = module.params['domain']
|
|
|
|
no_reload = module.params['no_reload']
|
|
|
|
|
|
|
|
if not HAVE_SEOBJECT:
|
|
|
|
module.fail_json(changed=False, msg=missing_required_lib("policycoreutils-python"),
|
|
|
|
exception=SEOBJECT_IMP_ERR)
|
|
|
|
|
|
|
|
try:
|
|
|
|
permissive_domains = seobject.permissiveRecords(store)
|
|
|
|
except ValueError as e:
|
|
|
|
module.fail_json(domain=domain, msg=to_native(e), exception=traceback.format_exc())
|
|
|
|
|
|
|
|
# not supported on EL 6
|
|
|
|
if 'set_reload' in dir(permissive_domains):
|
|
|
|
permissive_domains.set_reload(not no_reload)
|
|
|
|
|
|
|
|
try:
|
|
|
|
all_domains = permissive_domains.get_all()
|
|
|
|
except ValueError as e:
|
|
|
|
module.fail_json(domain=domain, msg=to_native(e), exception=traceback.format_exc())
|
|
|
|
|
|
|
|
if permissive:
|
|
|
|
if domain not in all_domains:
|
|
|
|
if not module.check_mode:
|
|
|
|
try:
|
|
|
|
permissive_domains.add(domain)
|
|
|
|
except ValueError as e:
|
|
|
|
module.fail_json(domain=domain, msg=to_native(e), exception=traceback.format_exc())
|
|
|
|
changed = True
|
|
|
|
else:
|
|
|
|
if domain in all_domains:
|
|
|
|
if not module.check_mode:
|
|
|
|
try:
|
|
|
|
permissive_domains.delete(domain)
|
|
|
|
except ValueError as e:
|
|
|
|
module.fail_json(domain=domain, msg=to_native(e), exception=traceback.format_exc())
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
module.exit_json(changed=changed, store=store,
|
|
|
|
permissive=permissive, domain=domain)
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|