From cf358f169de287f9bf078c21fc2bb40b0a78d342 Mon Sep 17 00:00:00 2001
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Mon, 23 May 2022 16:12:12 +0100
Subject: [PATCH] Use pam_env for su commands on Centos-9

See https://access.redhat.com/errata/RHBA-2022:4082

Change-Id: Ibe4ab810ba48c9735af187d39fc34a7451c12d8a
---
 tasks/main.yml | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index ac215976..2332f00f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -52,13 +52,21 @@
   tags:
     - openstack_hosts-config
 
-- name: Ensure environement is applied during sudo
-  lineinfile:
-    path: /etc/pam.d/sudo
-    line: "session    required   pam_env.so readenv=1 user_readenv=0"
-    regexp: 'session\s+required\s+pam_env\.so'
-    insertbefore: '^@include'
-  when: ansible_facts['distribution'] | lower == 'debian'
+# NOTE(jrosser) Remove this task when https://access.redhat.com/errata/RHBA-2022:4082
+# has a fix merged to Centos-9 as well as RHEL.
+- name: Ensure environement is applied during su
+  community.general.pamd:
+    name: su
+    type: auth
+    control: sufficient
+    module_path: pam_rootok.so
+    new_type: auth
+    new_control: required
+    new_module_path: pam_env.so
+    state: before
+  when:
+    - ansible_facts['distribution'] == 'CentOS'
+    - ansible_facts['distribution_version'] == '9'
 
 - name: Create systemd global directory
   file: