From a9347ec48770bd9134b67e760dd3f7013db7ea9e Mon Sep 17 00:00:00 2001
From: Jason Rothstein <fdragon@fdragon.org>
Date: Sun, 25 Jul 2021 04:08:01 +0000
Subject: [PATCH] Templatize SELinux configuration

---
 defaults/main.yml          |   2 -
 tasks/main.yml             | 110 ++++++++++++++++++++++++++++++++++++-
 vars/Fedora-34-default.yml |  14 +++++
 vars/defaults.yml          |   2 +
 4 files changed, 123 insertions(+), 5 deletions(-)
 create mode 100644 vars/Fedora-34-default.yml
 create mode 100644 vars/defaults.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 36ad9c9..e266585 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,5 +1,3 @@
 ---
 # defaults file for ensure_selinux
-selinux_policy: 'targeted'
-selinux_state: 'enforcing'
 
diff --git a/tasks/main.yml b/tasks/main.yml
index 45ba7d7..240496c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,12 +1,116 @@
 ---
 # tasks file for ensure_selinux
-- name: 'Ensure SELinux is enforcing'
+- name: 'include variables'
+  when:
+    - ansible_system == 'Linux'
+  include_vars:
+    file: '{{ lookup("first_found", findme ) }}'
+    name: 'ensure_selinux'
+  vars:
+    findme:
+      files:
+        - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml'
+        - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-default.yml'
+        - '{{ ansible_distribution }}-default.yml'
+        - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml'
+        - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-default.yml'
+        - '{{ ansible_os_family }}-default.yml'
+        - 'default.yml'
+      paths:
+        - '../vars/'
+      errors: 'ignore'
+- name: 'package discovery'
+  when:
+    - ansible_system == 'Linux'
+    - packages is not defined
+  ansible.builtin.package_facts:
+- name: 'service discovery'
+  when:
+    - ansible_system == 'Linux'
+    - services is not defined
+  ansible.builtin.service_facts:
+- name: 'ensure packages'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_selinux is defined
+    - ensure_selinux.package_list is defined
+    - ensure_selinux.package_list is iterable
+    - packages[item.name] is not defined
+  ansible.builtin.package:
+    name: '{{ item.name }}'
+    state: '{{ item.state }}'
+  loop: '{{ ensure_selinux.package_list }}'
+  loop_control:
+    label: '{{ item.name }} will be {{ item.state }}'
+  notify:
+    - 'ensure_selinux.package_facts'
+    - 'ensure_selinux.service_facts'
+- name: 'ensure configurations'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_selinux is defined
+    - ensure_selinux.template_list is defined
+    - ensure_selinux.template_list is iterable
+  ansible.builtin.template:
+    backup: 'no'
+    dest: '{{ item.dest }}'
+    group: '{{ item.group | default(omit) }}'
+    mode: '{{ item.mode | default(omit) }}'
+    owner: '{{ item.owner | default(omit) }}'
+    selevel: '{{ iteml.selevel | default(omit) }}'
+    serole: '{{ item.serole | default(omit) }}'
+    setype: '{{ item.setype | default(omit) }}'
+    seuser: '{{ item.seuser | default(omit) }}'
+    src: '{{ item.src }}'
+  loop: '{{ ensure_selinux.template_list }}'
+  loop_control:
+    label: '{{ item.dest }} will be ensured'
+  notify:
+    - 'ensure_selinux.package_facts'
+    - 'ensure_selinux.service_facts'
+- name: 'ensure services'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_selinux is defined
+    - ensure_selinux.service_list is defined
+    - ensure_selinux.service_list is iterable
+  ansible.builtin.service:
+    enabled: '{{ item.enabled }}'
+    name: '{{ item.name }}'
+    state: '{{ item.state }}'
+  loop: '{{ ensure_selinux.service_list }}'
+  loop_control:
+    label: '{{ item.name }} will be {{ item.state }}'
+  notify:
+    - 'ensure_selinux.package_facts'
+    - 'ensure_selinux.service_facts'
+- name: 'Ensure SELinux is configured'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_selinux is defined
+    - ensure_selinux.selinux_policy is defined
+    - ensure_selinux.selinux_state is defined
   ansible.posix.selinux:
-    policy: '{{ selinux_policy }}'
-    state: '{{ selinux_state }}'
+    policy: '{{ ensure_selinux.selinux_policy }}'
+    state: '{{ ensure_selinux.selinux_state }}'
   register: 'results'
 - name: 'Reboot if required'
   when:
     - results.reboot_required
   reboot:
+- name: 'ensure seboolean'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_selinux is defined
+    - ensure_selinux.seboolean_list is defined
+    - ensure_selinux.seboolean_list is iterable
+  ansible.posix.seboolean:
+    name: '{{ item.name }}'
+    persistent: '{{ item.persistent }}'
+    state: '{{ item.state }}'
+  loop: '{{ ensure_selinux.seboolean_list }}'
+  loop_control:
+    label: '{{ item.name }} will be {{ item.state }}'
+- name: 'flush handlers'
+  meta: 'flush_handlers'
 
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
new file mode 100644
index 0000000..e3f439a
--- /dev/null
+++ b/vars/Fedora-34-default.yml
@@ -0,0 +1,14 @@
+---
+# vars file for ensure_selinux
+package_list:
+  - name: 'python3-libselinux'
+    state: 'present'
+  - name: 'python3-libsemanage'
+    state: 'present'
+seboolean_list:
+  - name: 'antivirus_can_scan_system'
+    persistent: 'yes'
+    state: 'yes'
+selinux_policy: 'targeted'
+selinux_state: 'enforcing'
+
diff --git a/vars/defaults.yml b/vars/defaults.yml
new file mode 100644
index 0000000..e6ae2d5
--- /dev/null
+++ b/vars/defaults.yml
@@ -0,0 +1,2 @@
+---
+# vars file for ensure_selinux
\ No newline at end of file