diff --git a/system/selinux_permissive.py b/system/selinux_permissive.py new file mode 100644 index 00000000000..ec3575d9da4 --- /dev/null +++ b/system/selinux_permissive.py @@ -0,0 +1,130 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# (c) 2015, Michael Scherer +# inspired by code of github.com/dandiker/ +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +DOCUMENTATION = ''' +--- +module: selinux_permissive +short_description: Change permissive domain in SELinux policy +description: + - Add and remove domain from the list of permissive domain. +version_added: "1.9" +options: + domain: + description: + - "the domain that will be added or removed from the list of permissive domains" + required: true + permissive: + description: + - "indicate if the domain should or should not be set as permissive" + required: true + choices: [ 'True', 'False' ] + no_reload: + description: + - "automatically reload the policy after a change" + - "default is set to 'false' as that's what most people would want after changing one domain" + - "Note that this doesn't work on older version of the library (example EL 6), the module will silently ignore it in this case" + required: false + default: False + choices: [ 'True', 'False' ] + store: + description: + - "name of the SELinux policy store to use" + required: false + default: null +notes: + - Requires a version of SELinux recent enough ( ie EL 6 or newer ) +requirements: [ policycoreutils-python ] +author: Michael Scherer +''' + +EXAMPLES = ''' +- selinux_permissive: name=httpd_t permissive=true +''' + +HAVE_SEOBJECT = False +try: + import seobject + HAVE_SEOBJECT = True +except ImportError: + pass + + +def main(): + module = AnsibleModule( + argument_spec=dict( + domain=dict(aliases=['name'], required=True), + store=dict(required=False, default=''), + permissive=dict(type='bool', required=True), + no_reload=dict(type='bool', required=False, default=False), + ), + supports_check_mode=True + ) + + # global vars + changed = False + store = module.params['store'] + permissive = module.params['permissive'] + domain = module.params['domain'] + no_reload = module.params['no_reload'] + + if not HAVE_SEOBJECT: + module.fail_json(changed=False, msg="policycoreutils-python required for this module") + + try: + permissive_domains = seobject.permissiveRecords(store) + except ValueError, e: + module.fail_json(domain=domain, msg=str(e)) + + # not supported on EL 6 + if 'set_reload' in dir(permissive_domains): + permissive_domains.set_reload(not no_reload) + + try: + all_domains = permissive_domains.get_all() + except ValueError, e: + module.fail_json(domain=domain, msg=str(e)) + + if permissive: + if domain not in all_domains: + if not module.check_mode: + try: + permissive_domains.add(domain) + except ValueError, e: + module.fail_json(domain=domain, msg=str(e)) + changed = True + else: + if domain in all_domains: + if not module.check_mode: + try: + permissive_domains.delete(domain) + except ValueError, e: + module.fail_json(domain=domain, msg=str(e)) + changed = True + + module.exit_json(changed=changed, store=store, + permissive=permissive, domain=domain) + + +################################################# +# import module snippets +from ansible.module_utils.basic import * + +main()