Using `local: true` users can enforce to work only with local policy
modifications. i.e.
# Without `local`, no new modification is added when port already exists
$ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp' localhost
localhost | SUCCESS => {
"changed": false,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "present"
}
$ sudo semanage port -l -C
# With `local`, a port is always added/changed in local modification list
$ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp local=true' localhost
localhost | CHANGED => {
"changed": true,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "present"
}
$ sudo semanage port -l -C
SELinux Port Type Proto Port Number
ssh_port_t tcp 22
# With `local`, seport removes the port only from local modifications
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost
localhost | CHANGED => {
"changed": true,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "absent"
}
$ sudo semanage port -l -C
# Even though the port is still defined in system policy, the module
# result is success as there's no port local modification
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost
localhost | SUCCESS => {
"changed": false,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "absent"
}
# But it fails without `local` as it tries to remove port defined in
# system policy
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp' localhost
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: Port tcp/22 is defined in policy, cannot be deleted
localhost | FAILED! => {
"changed": false,
"msg": "ValueError: Port tcp/22 is defined in policy, cannot be deleted\n"
}
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
* Adjust booleans in system modules.
* Fix some IP addresses
Co-authored-by: Sandra McCann <samccann@redhat.com>
Co-authored-by: Sandra McCann <samccann@redhat.com>
* Move licenses to LICENSES/, run add-license.py, add LICENSES/MIT.txt.
* Replace 'Copyright:' with 'Copyright'
sed -i 's|Copyright:\(.*\)|Copyright\1|' $(rg -l 'Copyright:')
Co-authored-by: Maxwell G <gotmax@e.email>
* fixed validation-modules for aix_devices.py
* fixed validation-modules for aix_filesystem.py
* fixed validation-modules for aix_inittab.py
* fixed validation-modules for aix_lvg.py
* fixed validation-modules for aix_lvol.py
* fixed validation-modules for awall.py
* fixed validation-modules for dconf.py
* fixed validation-modules for gconftool2.py
* fixed validation-modules for interfaces_file.py
* fixed validation-modules for java_keystore.py
* fixed validation-modules for kernel_blacklist.py
* fixed validation-modules for plugins/modules/system/lbu.py
* fixed validation-modules for plugins/modules/system/locale_gen.py
* fixed validation-modules for plugins/modules/system/lvg.py
* fixed validation-modules for plugins/modules/system/lvol.py
* fixed validation-modules for plugins/modules/system/mksysb.py
* fixed validation-modules for plugins/modules/system/modprobe.py
* fixed validation-modules for plugins/modules/system/nosh.py
* fixed validation-modules for plugins/modules/system/open_iscsi.py
* fixed validation-modules for plugins/modules/system/openwrt_init.py
* fixed validation-modules for plugins/modules/system/osx_defaults.py
* fixed validation-modules for plugins/modules/system/pamd.py
* fixed validation-modules for plugins/modules/system/pam_limits.py
* fixed validation-modules for plugins/modules/system/parted.py
* fixed validation-modules for plugins/modules/system/puppet.py
* fixed validation-modules for plugins/modules/system/python_requirements_info.py
* fixed validation-modules for plugins/modules/system/runit.py
the parameter "dist" is not used anywhere in the module
* fixed validation-modules for plugins/modules/system/sefcontext.py
* fixed validation-modules for plugins/modules/system/selogin.py
* fixed validation-modules for plugins/modules/system/seport.py
* fixed validation-modules for plugins/modules/system/solaris_zone.py
* fixed validation-modules for plugins/modules/system/syspatch.py
* fixed validation-modules for plugins/modules/system/vdo.py
* fixed validation-modules for plugins/modules/system/xfconf.py
* removed ignore almost all validate-modules lines in system
* removed unnecessary validations, per shippable test
* kernel_blacklist: keeping blacklist_file as str instead of path
* mksysb: keeping storage_path as str instead of path
* pam_limits: keeping dest as str instead of path
* rollback on adding doc for puppet.py legacy param
* rolledback param seuser required in selogin module
* rolledback changes in runit
* rolledback changes in osx_defaults
* rolledback changes in aix_defaults
