aboutsummaryrefslogtreecommitdiffstats
path: root/roles/selinux_policy/tasks/main.yml
blob: 0ec008bc00c9822fc725d68a5bcfc1f5012ec21c (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

- name: create custom SELinux module directory
  file:
    path: '{{ selinux_policy_custom_dir }}'
    state: directory

- name: create SELinux type-enforcement file
  copy:
    content: |
      module {{ selinux_policy_name }} {{ selinux_policy_version | default('1.0') }};

      {{ selinux_policy_te }}
    dest: '{{ selinux_policy_custom_dir }}/{{ selinux_policy_name }}.te'
  register: selinux_te_file

- name: check if SELinux policy is loaded
  shell: semodule -l | grep -q {{ selinux_policy_name }}
  changed_when: false
  failed_when: false
  register: se_policy_loaded

- name: compile and load SELinux module
  block:
    - name: unload SELinux module
      command: semodule -r {{ selinux_policy_name }}
      when: se_policy_loaded.rc == 0

    - name: compile SELinux module
      command: checkmodule -M -m -o {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.mod {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.te

    - name: build SELinux policy package
      command: semodule_package -o {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.pp -m {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.mod

    - name: load SELinux module
      command: semodule -i {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.pp

    - name: clean up build artifacts
      file:
        path: '{{ selinux_policy_custom_dir }}/{{ selinux_policy_name }}.{{ item }}'
        state: absent
      loop:
        - mod
        - pp

  when: selinux_te_file.changed or se_policy_loaded.rc != 0
generated by cgit (git 2.34.1) at 2024-09-19 11:58:15 -0400