This removes the 'context' option and replaces it with checks for
'_default' value for seuser, serole, setype, or (maybe) selevel.
If '_default' is provided *and* there is a default context for the given
file, this will set the file context to the available default.
Creates system accounts/groups; corresponds to the '-r' option for {user,group}add.
The option is only honored when users/groups are added, not when modified.
When running the service module via sudo, `$PATH` didn't contain `/sbin`,
so the service binary couldn't be found. This just runs `/sbin/service`
directly. Output is spewed to stderr on error.
Added `list=status` to include the output of `service <cmd> status`.
This adds selinux_mls_enabled() and selinux_enabled() to detect a)
whether selinux is MLS aware (ie supports selevel) and b) whether
selinux is enabled. If selinux is not enabled, all selinux operations
are punted on -- same as if python's selinux module were not available.
In set_context_if_different(), I now iterate over the current context
instead of the context argument. Even if the system supports MLS, it
may not return the selevel from selinux.lgetfilecon(). Lastly, this
drops selinux_has_selevel() in lieu of the current approach.
Older versions of selinux, such as that deployed on rhel5, only return a
context of user:role:type instead of user:role:type:level. This detects
whether the tuple has three elements (old-style) or four. If the
old-style, it keeps the secontext list at three elements.
The value is passed to apt-get's "-t" option. Useful for installing backports, e.g.:
ansible webservers -m apt -a "pkg=nginx state=latest default-release=squeeze-backports"
This adjusts behavior of file module such that removal of se* option
does not revert the file's selinux context to the default. In order to
go back to the default context according to the policy, you can use the
context=default option.
This collects various facts from the host so that it isn't necessary to
have facter or ohai installed. It gets various platform/distribution
facts, information about the type of hardware, whether a virtual
environment and what type, assorted interface facts, and ssh host public
keys. Most facts are flat. The two exceptions are 'processor' and all
interface facts. Interface facts are presented as:
ansible_lo : {
"macaddress": "00:00:00:00:00:00",
"ipv4": { "address": "127.0.0.1", "netmask": "255.0.0.0" },
"ipv6": [
{ "address": "::1", "prefix": "128", "scope": "host" }
]
}
This adds the options: seuser, serole, setype, and serange to the file
module. If the python selinux module doesn't exist, this will set
HAVE_SELINUX to False and punt in the related modules.
This takes the options the user provides and applies those to the
default selinux context as provided from matchpathcon(). If there is no
default context, this uses the value from the current context. This
implies that if you set the setype and later remove it, the file module
will rever the setype to the default if available.
is still kicking off. Should not happen except in modules that are somewhat slow to load and probably
can be fixed better than the included sleep, i.e. some IPC communication that the process has
launched and is ok to exit. This works pretty well for now though.
This adds two options to the user module: groups and append. groups is
a comma-delimited list of supplementary groups a user should belong to.
If a user is currently a member of a group not listed in groups, the
user will be removed from it. To change this behavior, use append=yes.
This will append the user to the list of supplementary groups and *not*
remove the user from unlisted groups.
This relies on groupadd, groupmod, groupdel, and gpasswd utilities on
the system. You can optionally modify the gid for the group. You can
also add/remove a user to/from a group with the option member. Member
state is defined with the option memberstate.
This changes the gid option to group. One may provide a primary group
as either a gid or a name. The module will then check to verify that
the group already exists. If the group does not already exist, the
module will fail.
This relies on useradd, usermod, and userdel utilities on the system.
The argument name is required; if state is not provided, present is
assumed. Other options supported for creating or modifying an existing
account: uid, gid, comment, home, shell, and password. If managing the
password, it must already be encrypted. When creating an account, you
can also provide the argument createhome to control whether the home
directory is created. Arguments supported for deleting an account are:
force (remove account even if user is logged in) and remove (remove home
directory).