From 57f88cf73e5c01cb6bdb29e5c34f42fb2b6152ee Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 20 Sep 2023 16:22:03 +0200
Subject: [PATCH] fix: Use `ignore_selinux_state` module option

It is possible to configure SELinux on nodes with SELinux disabled
before they're switch to permissive/enforcing. The only requirement is
that targeted SELinux policy (or a policy configured in
/etc/selinux/config) needs to be installed.

It's also necessary to use seboolean module with `persistent: true` when
SELinux is disabled.

Fixes: https://github.com/linux-system-roles/selinux/issues/188

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
 tasks/main.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index f78f8a1..9af712c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -68,7 +68,9 @@
   seboolean:
     name: "{{ item.name }}"
     state: "{{ item.state }}"
-    persistent: "{{ item.persistent | default('no') }}"
+    persistent: "{{ item.persistent |
+                  default(ansible_selinux.status == 'disabled') }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_booleans }}"
 
 - name: Set SELinux file contexts
@@ -79,6 +81,7 @@
     state: "{{ item.state | default('present') }}"
     selevel: "{{ item.selevel | default(omit) }}"
     seuser: "{{ item.seuser | default(omit) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_fcontexts }}"
 
 - name: Restore SELinux labels on filesystem tree
@@ -102,6 +105,7 @@
     setype: "{{ item.setype }}"
     state: "{{ item.state | default('present') }}"
     local: "{{ item.local | default(False) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_ports }}"
 
 - name: Set linux user to SELinux user mapping
@@ -111,6 +115,7 @@
     serange: "{{ item.serange | default('s0') }}"
     state: "{{ item.state | default('present') }}"
     reload: "{{ item.reload | default(False) }}"
+    ignore_selinux_state: "{{ ansible_selinux.status == 'disabled' }}"
   with_items: "{{ selinux_logins }}"
   notify: __selinux_reload_policy