From 0592fd47bc6005e339c655cbba02aa330c7ee848 Mon Sep 17 00:00:00 2001
From: Martin Krizek <martin.krizek@gmail.com>
Date: Tue, 28 Nov 2017 17:09:25 +0100
Subject: [PATCH] selinux: check if policy exists before switching (#31834)

* selinux: check if policy exists before switching

* Check the policy dir
---
 lib/ansible/modules/system/selinux.py         |  3 ++
 .../targets/selinux/tasks/selinux.yml         | 37 +++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/lib/ansible/modules/system/selinux.py b/lib/ansible/modules/system/selinux.py
index 7d1cb8d9fac..917304ec2a7 100644
--- a/lib/ansible/modules/system/selinux.py
+++ b/lib/ansible/modules/system/selinux.py
@@ -151,6 +151,9 @@ def set_state(module, state):
 
 
 def set_config_policy(module, policy, configfile):
+    if not os.path.exists('/etc/selinux/%s/policy' % policy):
+        module.fail_json(msg='Policy %s does not exist in /etc/selinux/' % policy)
+
     # edit config file with state value
     # SELINUXTYPE=targeted
     policyline = 'SELINUXTYPE=%s' % policy
diff --git a/test/integration/targets/selinux/tasks/selinux.yml b/test/integration/targets/selinux/tasks/selinux.yml
index 5e543d14800..443f9419291 100644
--- a/test/integration/targets/selinux/tasks/selinux.yml
+++ b/test/integration/targets/selinux/tasks/selinux.yml
@@ -106,6 +106,11 @@
 # ##############################################################################
 # Test changing only the policy, which does not require a reboot
 
+- name: TEST 2 | Make sure the policy is present
+  package:
+    name: selinux-policy-mls
+    state: present
+
 - name: TEST 2 | Set SELinux policy
   selinux:
     state: enforcing
@@ -168,3 +173,35 @@
   selinux:
     state: enforcing
     policy: targeted
+
+
+# Third Test
+# ##############################################################################
+# Test changing non-existing policy
+
+- name: TEST 3 | Set SELinux policy
+  selinux:
+    state: enforcing
+    policy: non-existing-selinux-policy
+  register: _state_test1
+  ignore_errors: yes
+
+- debug:
+    var: _state_test1
+    verbosity: 1
+
+- name: TEST 3 | Re-gather facts
+  setup:
+
+- debug:
+    var: ansible_selinux
+  tags: debug
+
+- name: TEST 3 | Assert that status was not changed, the task failed, the msg contains proper information and SELinux was not changed
+  assert:
+    that:
+      - not _state_test1 | changed
+      - _state_test1 | failed
+      - _state_test1.msg == 'Policy non-existing-selinux-policy does not exist in /etc/selinux/'
+      - ansible_selinux.config_mode == 'enforcing'
+      - ansible_selinux.type == 'targeted'