1#!/usr/local/bin/python3.8 2# -*- coding: utf-8 -*- 3 4# Copyright: (c) 2015, Michael Scherer <misc@zarb.org> 5# inspired by code of github.com/dandiker/ 6# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) 7 8from __future__ import absolute_import, division, print_function 9__metaclass__ = type 10 11DOCUMENTATION = r''' 12--- 13module: selinux_permissive 14short_description: Change permissive domain in SELinux policy 15description: 16 - Add and remove a domain from the list of permissive domains. 17options: 18 domain: 19 description: 20 - The domain that will be added or removed from the list of permissive domains. 21 type: str 22 required: true 23 default: '' 24 aliases: [ name ] 25 permissive: 26 description: 27 - Indicate if the domain should or should not be set as permissive. 28 type: bool 29 required: true 30 no_reload: 31 description: 32 - Disable reloading of the SELinux policy after making change to a domain's permissive setting. 33 - The default is C(no), which causes policy to be reloaded when a domain changes state. 34 - Reloading the policy does not work on older versions of the C(policycoreutils-python) library, for example in EL 6." 35 type: bool 36 default: no 37 store: 38 description: 39 - Name of the SELinux policy store to use. 40 type: str 41notes: 42 - Requires a recent version of SELinux and C(policycoreutils-python) (EL 6 or newer). 43requirements: [ policycoreutils-python ] 44author: 45- Michael Scherer (@mscherer) <misc@zarb.org> 46''' 47 48EXAMPLES = r''' 49- name: Change the httpd_t domain to permissive 50 community.general.selinux_permissive: 51 name: httpd_t 52 permissive: true 53''' 54 55import traceback 56 57HAVE_SEOBJECT = False 58SEOBJECT_IMP_ERR = None 59try: 60 import seobject 61 HAVE_SEOBJECT = True 62except ImportError: 63 SEOBJECT_IMP_ERR = traceback.format_exc() 64 65from ansible.module_utils.basic import AnsibleModule, missing_required_lib 66from ansible.module_utils.common.text.converters import to_native 67 68 69def main(): 70 module = AnsibleModule( 71 argument_spec=dict( 72 domain=dict(type='str', required=True, aliases=['name']), 73 store=dict(type='str', default=''), 74 permissive=dict(type='bool', required=True), 75 no_reload=dict(type='bool', default=False), 76 ), 77 supports_check_mode=True, 78 ) 79 80 # global vars 81 changed = False 82 store = module.params['store'] 83 permissive = module.params['permissive'] 84 domain = module.params['domain'] 85 no_reload = module.params['no_reload'] 86 87 if not HAVE_SEOBJECT: 88 module.fail_json(changed=False, msg=missing_required_lib("policycoreutils-python"), 89 exception=SEOBJECT_IMP_ERR) 90 91 try: 92 permissive_domains = seobject.permissiveRecords(store) 93 except ValueError as e: 94 module.fail_json(domain=domain, msg=to_native(e), exception=traceback.format_exc()) 95 96 # not supported on EL 6 97 if 'set_reload' in dir(permissive_domains): 98 permissive_domains.set_reload(not no_reload) 99 100 try: 101 all_domains = permissive_domains.get_all() 102 except ValueError as e: 103 module.fail_json(domain=domain, msg=to_native(e), exception=traceback.format_exc()) 104 105 if permissive: 106 if domain not in all_domains: 107 if not module.check_mode: 108 try: 109 permissive_domains.add(domain) 110 except ValueError as e: 111 module.fail_json(domain=domain, msg=to_native(e), exception=traceback.format_exc()) 112 changed = True 113 else: 114 if domain in all_domains: 115 if not module.check_mode: 116 try: 117 permissive_domains.delete(domain) 118 except ValueError as e: 119 module.fail_json(domain=domain, msg=to_native(e), exception=traceback.format_exc()) 120 changed = True 121 122 module.exit_json(changed=changed, store=store, 123 permissive=permissive, domain=domain) 124 125 126if __name__ == '__main__': 127 main() 128