diff --git a/ansible/roles/selinux/defaults/main.yml b/ansible/roles/selinux/defaults/main.yml index 80481b39f..8966e67f3 100644 --- a/ansible/roles/selinux/defaults/main.yml +++ b/ansible/roles/selinux/defaults/main.yml @@ -11,3 +11,8 @@ selinux_do_reboot: false # Number of seconds to wait for hosts to become accessible via SSH after being # rebooted. selinux_reboot_timeout: + +# Whether or not to update the selinux kernel parameter. Can be useful if you +# have selinux= set on the kernel command line. Default is to use +# the module default. +selinux_update_kernel_param: "{{ omit }}" diff --git a/ansible/roles/selinux/tasks/main.yml b/ansible/roles/selinux/tasks/main.yml index 2e375d5a3..43551d998 100644 --- a/ansible/roles/selinux/tasks/main.yml +++ b/ansible/roles/selinux/tasks/main.yml @@ -16,6 +16,7 @@ selinux: policy: "{{ selinux_policy }}" state: "{{ selinux_state }}" + update_kernel_param: "{{ selinux_update_kernel_param }}" register: selinux_result vars: ansible_python_interpreter: /usr/bin/python3 diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index b8a79132d..6b08e84ab 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -560,6 +560,9 @@ the SELinux configuration. The timeout for waiting for systems to reboot is ``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting ``selinux_do_reboot`` to ``false``. +The ``selinux_update_kernel_param`` variable can be used to change the selinux +state set on the kernel command line; it takes a boolean value. + Network Configuration ===================== *tags:* diff --git a/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml b/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml new file mode 100644 index 000000000..44bea9790 --- /dev/null +++ b/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds the ``selinux_update_kernel_param`` variable which controls whether + the selinux kernel command line option is updated.