using semodule with ansible

Question

I'm trying to install a selinux module with ansible, according to the following commands.

ausearch -c 'software' --raw | audit2allow -M my-software
semodule -X 300 -i my-software.pp

so the following task

- name: "apply rule my-centreonlinux"
  shell: ausearch -c 'centreon_linux_' --raw | audit2allow -M my-centreonlinux ; semodule -X 300 -i my-centreonlinux.pp
  when: '"my-software" not in semodule_list.stdout'
  args:
    chdir: "/tmp/"

The problem is that ansible doesn't seem to create or preserve the two files generated by the first command (my-software.pp and my-software.te). After deployment, the files can't be found, even after specifying chdir.

  stderr: |-
    libsemanage.map_file: Unable to open my-software.pp
     (No such file or directory).
    libsemanage.semanage_direct_install_file: Unable to read file my-software.pp
     (No such file or directory).
    semodule:  Failed on my-software.pp!

From what I've seen, there's no other way to implement a selinux module without relying on ansible galaxy. And i can't copy/paste the .pp file generated manually.

How can make sure ansible creates/doesn't delete those files?

Thanks in advance for any help you are able to provide.

Answer 1

nvm fixed it

The solution was to copy the content of the .te file into a readable document (the .pp file being a compiled module, that's why it was unreadable), copy it on the host and compile it locally before installing the policy.

Big thanks to Michael Trojanek and his helpful tutorial.

https://relativkreativ.at/articles/how-to-compile-a-selinux-policy-package