selinux: check if policy exists before switching (#31834)

* selinux: check if policy exists before switching * Check the policy dir (cherry picked from commit 0592fd47bc)
2017-11-28 17:09:25 +01:00 · 2017-11-28 17:09:25 +01:00 · 5340da2a7d
commit 5340da2a7d
parent f0741ecaa0
3 changed files with 41 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,7 @@ Ansible Changes By Release

 ### Bugfixes
 * Fix `pamd` rule args regexp to match file paths (https://github.com/ansible/ansible/pull/33432)
+* Check if SELinux policy exists before setting (https://github.com/ansible/ansible/pull/31834)

 <a id="2.4.2"></a>

--- a/lib/ansible/modules/system/selinux.py
+++ b/lib/ansible/modules/system/selinux.py
@ -151,6 +151,9 @@ def set_state(module, state):


 def set_config_policy(module, policy, configfile):
+    if not os.path.exists('/etc/selinux/%s/policy' % policy):
+        module.fail_json(msg='Policy %s does not exist in /etc/selinux/' % policy)
+
    # edit config file with state value
    # SELINUXTYPE=targeted
    policyline = 'SELINUXTYPE=%s' % policy
--- a/test/integration/targets/selinux/tasks/selinux.yml
+++ b/test/integration/targets/selinux/tasks/selinux.yml
@ -106,6 +106,11 @@
 # ##############################################################################
 # Test changing only the policy, which does not require a reboot

+- name: TEST 2 | Make sure the policy is present
+  package:
+    name: selinux-policy-mls
+    state: present
+
 - name: TEST 2 | Set SELinux policy
  selinux:
    state: enforcing
@ -168,3 +173,35 @@
  selinux:
    state: enforcing
    policy: targeted
+
+
+# Third Test
+# ##############################################################################
+# Test changing non-existing policy
+
+- name: TEST 3 | Set SELinux policy
+  selinux:
+    state: enforcing
+    policy: non-existing-selinux-policy
+  register: _state_test1
+  ignore_errors: yes
+
+- debug:
+    var: _state_test1
+    verbosity: 1
+
+- name: TEST 3 | Re-gather facts
+  setup:
+
+- debug:
+    var: ansible_selinux
+  tags: debug
+
+- name: TEST 3 | Assert that status was not changed, the task failed, the msg contains proper information and SELinux was not changed
+  assert:
+    that:
+      - not _state_test1 | changed
+      - _state_test1 | failed
+      - _state_test1.msg == 'Policy non-existing-selinux-policy does not exist in /etc/selinux/'
+      - ansible_selinux.config_mode == 'enforcing'
+      - ansible_selinux.type == 'targeted'