From 6dabe438477b3cafdf9d0d3b30db43f9bef2ed0c Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 20 Sep 2023 16:22:03 +0200
Subject: [PATCH] fix: Use `ignore_selinux_state` module option

It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

Fixes: https://github.com/linux-system-roles/selinux/issues/188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
 tasks/main.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index f78f8a1..5cd0ee2 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -69,6 +69,7 @@
     name: "{{ item.name }}"
     state: "{{ item.state }}"
     persistent: "{{ item.persistent | default('no') }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_booleans }}"
 
 - name: Set SELinux file contexts
@@ -79,6 +80,7 @@
     state: "{{ item.state | default('present') }}"
     selevel: "{{ item.selevel | default(omit) }}"
     seuser: "{{ item.seuser | default(omit) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_fcontexts }}"
 
 - name: Restore SELinux labels on filesystem tree
@@ -102,6 +104,7 @@
     setype: "{{ item.setype }}"
     state: "{{ item.state | default('present') }}"
     local: "{{ item.local | default(False) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_ports }}"
 
 - name: Set linux user to SELinux user mapping
@@ -111,6 +114,7 @@
     serange: "{{ item.serange | default('s0') }}"
     state: "{{ item.state | default('present') }}"
     reload: "{{ item.reload | default(False) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_logins }}"
   notify: __selinux_reload_policy