ansible playbook to check the condition of Selinux status

Question

I am using the below playbook to check SELinux status. All I wanted to do further is that, if the status is not disabled, in the same playbook I need to make the changes to disabled the SELinux status.

   tasks:
     - name: To check SELinux status
       shell: getenforce
       register: result


     - set_fact: selinux_status_output="{{ result.stdout }}"

     - debug: var=selinux_status_output

Answer 1

If you just want to disable SELinux, follow @yabberth's answer - Ansible is declarative and idempotent unless you mess things up. Therefore, if you have a task that declares selinux state as disabled, Ansible selinux module will check and set selinux state accordingly.

On the other hand, if someone's still looking for a condition to run a task based on SELinux state, I'd use Ansible facts. Here is an example:

- seboolean:
    name: 'some_boolean'
    state: yes
    persistent: yes
  when: ansible_facts.selinux.status == 'enabled'

Answer 2

There are some cases where you may still wish to test whether SELinux is enabled. For instance, the Ansible module sefcontext generates a failure message, if SELinux is disabled. E.g.:

TASK [users : Set SELinux context of directory /foo/bar to ftpd_u] ***************************************************************************************************************************************************************
fatal: [172.16.1.76]: FAILED! => {"changed": false, "msg": "SELinux is disabled on this host."}

To test whether SELinux is enabled, use selinuxenabled rather than getenforce (or perhaps both).

Here's an example of some tasks with this dependency. Note that in the first task, you ignore errors, because you don't want that task to fail based on the exit code of selinuxenabled.

- name: Test whether SELinux is enabled
  command: /usr/sbin/selinuxenabled
  ignore_errors: yes
  register: selinux_status

- name: Set SELinux context of custom ftp directory /foo/bar to ftpd_u if SE Linux is enabled
  sefcontext:
    target: /foo/bar
    setype: ftpd_u
    state: present
  register: ftp_dir
  when: selinux_status.rc == 0

- name: Apply new SELinux context for custom FTP directory
  command: restorecon -irv /foo/bar
  when: ftp_dir.changed

Answer 3

You can use the selinux module

- name: Disable SELinux
  selinux:
    state: disabled

See: selinux Module

Edit: You don't need to check if the state is not disabled. Ansible will check the state of selinux and only if it is not disabled it will try to change the state.

You may want to check the difference between declarative and imperative models.

1. Declarative vs. Imperative: Two Modeling Patterns for the Automated Deployment of Applications
2. Declarative vs. Imperative Models for Configuration Management: Which Is Really Better?

Answer 4

I can't comment yet, but as Yabberth said, you can just use the selinux module. When your running the play, only systems in a changed state would've been not set to disabled. If the state is already disabled ansible will leave it alone and move on to the next task.

If you use the shell module to check first, you'll always see the changed state since its registering it into the job flow. If your running a check check first and then change afterwards, it might be a bit overkill considering the selinux module will do what your asking IMO.