32 lines
1.4 KiB
YAML
32 lines
1.4 KiB
YAML
---
|
|
- name: Fix SELinux
|
|
when: os_family == 'RedHat'
|
|
block:
|
|
- name: Fix SELinux by pre-labeling the filesystem before first boot
|
|
when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
|
|
ansible.builtin.command: >
|
|
{{ chroot_command }} /sbin/setfiles -v -F
|
|
-e /dev -e /proc -e /sys -e /run
|
|
/etc/selinux/targeted/contexts/files/file_contexts /
|
|
register: configuration_setfiles_result
|
|
changed_when: configuration_setfiles_result.rc == 0
|
|
|
|
# setfiles in the chroot misses paths created at first boot (e.g. /var/lib/sss),
|
|
# leaving unlabeled_t files that block services under enforcing SELinux. Force a
|
|
# complete relabel on first boot; fixfiles consumes and removes the flag.
|
|
- name: Force a complete SELinux relabel on first boot
|
|
when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
|
|
ansible.builtin.file:
|
|
path: /mnt/.autorelabel
|
|
state: touch
|
|
mode: "0644"
|
|
|
|
# Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
|
|
# is left permissive and expected to relabel on first boot.
|
|
- name: Disable SELinux
|
|
when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
|
|
ansible.builtin.lineinfile:
|
|
path: /mnt/etc/selinux/config
|
|
regexp: ^SELINUX=
|
|
line: SELINUX=permissive
|