Add new SELinux validation check

As the default SELinux mode for CentOS is Permissive, we only warn (not fail) if SELinux is not running in Enforcing mode on CentOS. Change-Id: Id991b39a062b4962355b682c175fe92e8f92e0bb Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2017-10-11 13:25:44 +02:00 · 2017-10-11 13:25:44 +02:00 · c6e62ac7bf
parent 13c108aab6
commit c6e62ac7bf
2 changed files with 39 additions and 0 deletions
--- a/releasenotes/notes/add-selinux-validation-e23694aaf94d2a66.yaml
+++ b/releasenotes/notes/add-selinux-validation-e23694aaf94d2a66.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    New validation to check for the SELinux Enforcing mode on the Undercloud.
--- a/validations/undercloud-selinux-mode.yaml
+++ b/validations/undercloud-selinux-mode.yaml
@ -0,0 +1,35 @@
+---
+- hosts: undercloud
+  vars:
+    metadata:
+      name: Undercloud SELinux Enforcing Mode Check
+      description: >
+        Check if the Undercloud is running SELinux in Enforcing mode.
+      groups:
+        - prep
+        - pre-introspection
+  tasks:
+    - name:  Get current SELinux mode
+      command: getenforce
+      become: true
+      register: sestatus
+      changed_when: False
+
+    - name: Fail if SELinux is not in Enforced mode (RHEL)
+      fail:
+        msg: >-
+          SELinux is running in {{ sestatus.stdout }} mode on the Undercloud.
+          Ensure that SELinux is enabled and running in Enforcing mode.
+      when:
+        - "sestatus.stdout != 'Enforcing'"
+        - "ansible_distribution == 'RedHat'"
+
+    - name: Warn if SELinux is not in Enforced mode (CentOS)
+      warn:
+        msg: >-
+          SELinux is running in {{ sestatus.stdout }} mode on the Undercloud.
+          Ensure that SELinux is enabled and running in Enforcing mode.
+      when:
+        - "sestatus.stdout != 'Enforcing'"
+        - "ansible_distribution == 'CentOS'"
+