mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
e646d21935
Using `local: true` users can enforce to work only with local policy
modifications. i.e.
# Without `local`, no new modification is added when port already exists
$ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp' localhost
localhost | SUCCESS => {
"changed": false,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "present"
}
$ sudo semanage port -l -C
# With `local`, a port is always added/changed in local modification list
$ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp local=true' localhost
localhost | CHANGED => {
"changed": true,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "present"
}
$ sudo semanage port -l -C
SELinux Port Type Proto Port Number
ssh_port_t tcp 22
# With `local`, seport removes the port only from local modifications
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost
localhost | CHANGED => {
"changed": true,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "absent"
}
$ sudo semanage port -l -C
# Even though the port is still defined in system policy, the module
# result is success as there's no port local modification
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost
localhost | SUCCESS => {
"changed": false,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "absent"
}
# But it fails without `local` as it tries to remove port defined in
# system policy
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp' localhost
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: Port tcp/22 is defined in policy, cannot be deleted
localhost | FAILED! => {
"changed": false,
"msg": "ValueError: Port tcp/22 is defined in policy, cannot be deleted\n"
}
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
(cherry picked from commit
|
||
---|---|---|
.. | ||
aix_devices.py | ||
aix_filesystem.py | ||
aix_inittab.py | ||
aix_lvg.py | ||
aix_lvol.py | ||
alternatives.py | ||
awall.py | ||
beadm.py | ||
capabilities.py | ||
cronvar.py | ||
crypttab.py | ||
dconf.py | ||
dpkg_divert.py | ||
facter.py | ||
filesystem.py | ||
gconftool2.py | ||
gconftool2_info.py | ||
homectl.py | ||
interfaces_file.py | ||
iptables_state.py | ||
java_cert.py | ||
java_keystore.py | ||
kernel_blacklist.py | ||
keyring.py | ||
keyring_info.py | ||
launchd.py | ||
lbu.py | ||
listen_ports_facts.py | ||
locale_gen.py | ||
lvg.py | ||
lvol.py | ||
make.py | ||
mksysb.py | ||
modprobe.py | ||
nosh.py | ||
ohai.py | ||
open_iscsi.py | ||
openwrt_init.py | ||
osx_defaults.py | ||
pam_limits.py | ||
pamd.py | ||
parted.py | ||
pids.py | ||
puppet.py | ||
python_requirements_info.py | ||
runit.py | ||
sap_task_list_execute.py | ||
sefcontext.py | ||
selinux_permissive.py | ||
selogin.py | ||
seport.py | ||
shutdown.py | ||
solaris_zone.py | ||
ssh_config.py | ||
sudoers.py | ||
svc.py | ||
syspatch.py | ||
sysrc.py | ||
sysupgrade.py | ||
timezone.py | ||
ufw.py | ||
vdo.py | ||
xfconf.py | ||
xfconf_info.py | ||
xfs_quota.py |