Reputation: 161
I am using the below playbook to check SELinux status. All I wanted to do further is that, if the status is not disabled, in the same playbook I need to make the changes to disabled the SELinux status.
tasks:
- name: To check SELinux status
shell: getenforce
register: result
- set_fact: selinux_status_output="{{ result.stdout }}"
- debug: var=selinux_status_output
Upvotes: 2
Views: 10205
Reputation: 579
If you just want to disable SELinux, follow @yabberth's answer - Ansible is declarative and idempotent unless you mess things up. Therefore, if you have a task that declares selinux state as disabled, Ansible selinux module will check and set selinux state accordingly.
On the other hand, if someone's still looking for a condition to run a task based on SELinux state, I'd use Ansible facts. Here is an example:
- seboolean:
name: 'some_boolean'
state: yes
persistent: yes
when: ansible_facts.selinux.status == 'enabled'
Upvotes: 3
Reputation: 412
There are some cases where you may still wish to test whether SELinux is enabled. For instance, the Ansible module sefcontext
generates a failure message, if SELinux is disabled. E.g.:
TASK [users : Set SELinux context of directory /foo/bar to ftpd_u] ***************************************************************************************************************************************************************
fatal: [172.16.1.76]: FAILED! => {"changed": false, "msg": "SELinux is disabled on this host."}
To test whether SELinux is enabled, use selinuxenabled
rather than getenforce
(or perhaps both).
Here's an example of some tasks with this dependency. Note that in the first task, you ignore errors, because you don't want that task to fail based on the exit code of selinuxenabled
.
- name: Test whether SELinux is enabled
command: /usr/sbin/selinuxenabled
ignore_errors: yes
register: selinux_status
- name: Set SELinux context of custom ftp directory /foo/bar to ftpd_u if SE Linux is enabled
sefcontext:
target: /foo/bar
setype: ftpd_u
state: present
register: ftp_dir
when: selinux_status.rc == 0
- name: Apply new SELinux context for custom FTP directory
command: restorecon -irv /foo/bar
when: ftp_dir.changed
Upvotes: 0
Reputation: 505
You can use the selinux module
- name: Disable SELinux
selinux:
state: disabled
See: selinux Module
Edit: You don't need to check if the state is not disabled. Ansible will check the state of selinux and only if it is not disabled it will try to change the state.
You may want to check the difference between declarative and imperative models.
Upvotes: 5
Reputation: 33
I can't comment yet, but as Yabberth said, you can just use the selinux
module.
When your running the play, only systems in a changed state would've been not set to disabled. If the state is already disabled ansible will leave it alone and move on to the next task.
If you use the shell
module to check first, you'll always see the changed state since its registering it into the job flow. If your running a check check first and then change afterwards, it might be a bit overkill considering the selinux
module will do what your asking IMO.
Upvotes: 2