diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml index 2fa8b21db16..f7e54ef6bde 100644 --- a/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml +++ b/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml @@ -4,9 +4,19 @@ # complexity = low # disruption = low +- name: "{{{ rule_title }}} - Check current SELinux state" + ansible.builtin.command: + cmd: getenforce + register: selinux_state + check_mode: false + changed_when: false + {{{ ansible_selinux_config_set(parameter="SELINUX", value="permissive", rule_title=rule_title) }}} -- name: "{{{ RULE_TITLE }}} - Mark system to relabel SELinux on next boot" +- name: "{{{ rule_title }}} - Mark system to relabel SELinux on next boot" ansible.builtin.file: path: /.autorelabel state: touch + access_time: preserve + modification_time: preserve + when: selinux_state.stdout | lower != "permissive" diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml index a3780dc078f..3c1d99eafd0 100644 --- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml +++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml @@ -5,9 +5,19 @@ # disruption = low {{{ ansible_instantiate_variables("var_selinux_state") }}} +- name: "{{{ rule_title }}} - Check current SELinux state" + ansible.builtin.command: + cmd: getenforce + register: selinux_state + check_mode: false + changed_when: false + {{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}", rule_title=rule_title) }}} -- name: "{{{ RULE_TITLE }}} - Mark system to relabel SELinux on next boot" +- name: "{{{ rule_title }}} - Mark system to relabel SELinux on next boot" ansible.builtin.file: path: /.autorelabel state: touch + access_time: preserve + modification_time: preserve + when: selinux_state.stdout | lower != var_selinux_state