blob: 0ec008bc00c9822fc725d68a5bcfc1f5012ec21c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
- name: create custom SELinux module directory
file:
path: '{{ selinux_policy_custom_dir }}'
state: directory
- name: create SELinux type-enforcement file
copy:
content: |
module {{ selinux_policy_name }} {{ selinux_policy_version | default('1.0') }};
{{ selinux_policy_te }}
dest: '{{ selinux_policy_custom_dir }}/{{ selinux_policy_name }}.te'
register: selinux_te_file
- name: check if SELinux policy is loaded
shell: semodule -l | grep -q {{ selinux_policy_name }}
changed_when: false
failed_when: false
register: se_policy_loaded
- name: compile and load SELinux module
block:
- name: unload SELinux module
command: semodule -r {{ selinux_policy_name }}
when: se_policy_loaded.rc == 0
- name: compile SELinux module
command: checkmodule -M -m -o {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.mod {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.te
- name: build SELinux policy package
command: semodule_package -o {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.pp -m {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.mod
- name: load SELinux module
command: semodule -i {{ selinux_policy_custom_dir ~ '/' ~ selinux_policy_name }}.pp
- name: clean up build artifacts
file:
path: '{{ selinux_policy_custom_dir }}/{{ selinux_policy_name }}.{{ item }}'
state: absent
loop:
- mod
- pp
when: selinux_te_file.changed or se_policy_loaded.rc != 0
|