Vh-ddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl Z dZ ddlZdZddlmZmZdd lmZdd lmZdd lmZmZd Zd ZdZdZdZ dZ!dZ"dZ#e$dk(re#yy#e$re j"Z dZY\wxYw))absolute_importdivisionprint_functionai --- module: selinux short_description: Change policy and state of SELinux description: - Configures the SELinux mode and policy. - A reboot may be required after usage. - Ansible will not issue this reboot but will let you know when it is required. version_added: "1.0.0" options: policy: description: - The name of the SELinux policy to use (e.g. C(targeted)) will be required unless O(state=disabled). type: str state: description: - The SELinux mode. required: true choices: [ disabled, enforcing, permissive ] type: str update_kernel_param: description: - If set to V(true), will update also the kernel boot parameters when disabling/enabling SELinux. - The C(grubby) tool must be present on the target system for this to work. default: false type: bool version_added: '1.4.0' configfile: description: - The path to the SELinux configuration file, if non-standard. default: /etc/selinux/config aliases: [ conf, file ] type: str requirements: [ libselinux-python ] author: - Derek Carter (@goozbach) a5 - name: Enable SELinux ansible.posix.selinux: policy: targeted state: enforcing - name: Put SELinux in permissive mode, logging actions that would be blocked. ansible.posix.selinux: policy: targeted state: permissive - name: Disable SELinux ansible.posix.selinux: state: disabled a msg: description: Messages that describe changes that were made. returned: always type: str sample: Config SELinux state changed from 'disabled' to 'permissive' configfile: description: Path to SELinux configuration file. returned: always type: str sample: /etc/selinux/config policy: description: Name of the SELinux policy. returned: always type: str sample: targeted state: description: SELinux mode. returned: always type: str sample: enforcing reboot_required: description: Whether or not an reboot is required for the changes to take effect. returned: always type: bool sample: true NTF) AnsibleModulemissing_required_lib) get_bin_path)get_file_lines)respawn_moduleHAS_RESPAWN_UTILct|d}|D]>}tjd|}|s|jddj cSy)NFstrip ^SELINUX=.*$=r rematchsplitr configfilelinesline statelines i/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/ansible/posix/plugins/modules/selinux.pyget_config_staterrsL :U 3E.HH_d3 ::c?1%++- -.ct|d}|D]>}tjd|}|s|jddj cSy)NFr ^SELINUXTYPE=.*$rrrrs rget_config_policyr {sM :U 3E.HH0$7 ::c?1%++- -.rcP||jdd|j|dg\}}}|dk7r|jdd}d}|jd D]D}tjd |}||j d jd } d | vrd}Cd}F||k(ry|S)Nz"'grubby' command not found on hostzxIn order to update the kernel command lineenabled/disabled setting, the grubby packageneeds to be present on the system.msgdetailsz --info=ALLrzunable to run grubbyr#T z ^args="(.*)"$r selinux=0F) fail_json run_commandrrrgroup) module grubby_binrcstdoutstderr all_enabled all_disabledrrargss rget_kernel_enabledr4sA"F  G  ++Z,FGB Qw34KL T"!$/ = {{1~##C( $ K L!{" rc |d|z}t|d}tj\}}t|d5}d}|D]C} t j d| rd}|j t jd|| dzE|s|j d |zddd|j||y#1swYxYw) Nz SELINUX=%sFr wrTz ^SELINUX=.*r&z SELINUX=%s ) r tempfilemkstempopenrrwritesub atomic_move) r,staterrrtmpfdtmpfile write_file line_foundrs rset_config_staterBsu$I :U 3E%%'NE7 gs 5z  MDxx.!   RVVNItDtK L M    ^e3 45 w +55s A!B22B;c|dk(rtjdy|dk(rtjdy|dk(ryd|z}|j|y)N enforcingr permissiverdisabledz&trying to set invalid runtime state %sr%)selinuxsecurity_setenforcer))r,r=r#s r set_staterIsT ##A& , ##A& *  6>S!rc|j|d|rdnddg\}}}|dk7r(|r|jdy|jdyy) Nz--update-kernel=ALLz --remove-argsz--argsr(rz-unable to remove selinux=0 from kernel configr%z(unable to add selinux=0 to kernel config)r*r))r,r-valuer.r/r0s rset_kernel_enabledrLsb++Z9N@E_8-8-:;B Qw    !P  Q   !K  L rc tjjd|zs|jd|zd|z}t |d}t j \}}t|d5}d}|D]C} tjd| rd }|jtjd || d zE|s|jd |zddd|j||y#1swYxYw) Nz/etc/selinux/%s/policyz)Policy %s does not exist in /etc/selinux/r%zSELINUXTYPE=%sFr r6rTz^SELINUXTYPE=.*r&zSELINUXTYPE=%s ) ospathexistsr)r r7r8r9rrr:r;r<) r,policyr policylinerr>r?r@rArs rset_config_policyrSs 77>>2V; <H6QR"F*J :U 3E%%'NE7 gs :z  RDxx+T2!   RVV$6 DIDP Q R    /&8 9: w +::s -A!C))C2c tttdtddgdtddddg td d  d}ts1tr t d|j t dtd }g}|jd}|jd}|jd}|jd}tj}tjd}d} d} d } |rtjrd} nd} tjj|s"|j dj!|dt#|} t%|} |r t'd}t+||} |dk7r|s|j dn|s| }||k7r8|j,r|j/d |j1d!|d"|d#d}|| k7rH|j,r|j/d t3||||j1d$|d%| d"|d#d}|| k7r|r|dk(rH| dk7r/|j,s t5|d|j7d&| zd}n|j7d'd} nI|j,s t5|||j1d(| d"|d#d}n|j7d)|zd} || k7r3|j,s t9||||j1d*| d"|d#d}|d+v}|rD| |k7r?|j,s t;|||rd,}nd-}| d.|df}|j1d/|zd}|j/|d0j=||||| 1y#t($rd}YwxYw)2Nstr)typeT)rDrErF)rVrequiredchoicesz/etc/selinux/configconffile)rVdefaultaliasesboolF)rVr[)rQr=rupdate_kernel_param) argument_specsupports_check_moderGzlibselinux-python)r# exceptionrrQr=r^rrFrDrEzUnable to find file {0}zSPlease install SELinux-policy package, if this package is not installed previously.r"grubbyz-Policy is required if state is not 'disabled'r%)changedz%Running SELinux policy changed from 'z' to ''z!SELinux policy configuration in 'z' changed from 'zgSELinux state temporarily changed from '%s' to 'permissive'. State change will take effect next reboot.z1SELinux state change will take effect next rebootzSELinux state changed from 'z/Reboot is required to set SELinux state to '%s'z#Config SELinux state changed from ')rDrE)rFenabled)rerFzz.Kernel SELinux state changed from '%s' to '%s'z, )rcr#rrQr=reboot_required)rdict HAS_SELINUXr r r)rSELINUX_IMP_ERRparamsrGis_selinux_enabledselinux_getpolicytypesecurity_getenforcerNrOisfileformatr rr ValueErrorr4 check_mode exit_jsonappendrSrIwarnrBrLjoin)r,rcmsgsrrQr=r^runtime_enabledruntime_policy runtime_statekernel_enabledrf config_policy config_stater-requested_kernel_enabledstatess rmainrs U#ED:ab0EPVX^O_` $&% @  !F   9 %12EFRabG D|,J ]]8 $F MM' "E --(=>002O224Q7NMNO  & & ('M(M 77>>* %6==jI"P  Q&j1M#J/L %h/J,FJ?    !P  Q"F      T  * .Z`ab       T  *&&*5 Xbdqsyz{   " L0!,,!&,7KK!JN[!\]"GKK ST"&((fe, X]^_ KKIEQ R"O   VUJ 7 V[\]$(CC~1II  vz3K L #,F,F  !&q 2F DvMN W$))D/jY_glNOQ J s) M.. M=<M=__main__)% __future__rrrrV __metaclass__ DOCUMENTATIONEXAMPLESRETURNrNrr7 tracebackrirGrh ImportError format_excansible.module_utils.basicrr#ansible.module_utils.common.processr ansible.module_utils.facts.utilsr ?ansible_collections.ansible.posix.plugins.module_utils._respawnr r rr r4rBrIrLrSr__name__rrrsA@ $ L   8 K K<;l..:,* "M,0vOr zFq*i**,OKsA..B B