From 243661a925df502151c2c0c0cf720985833e9d11 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 19 Aug 2025 10:59:37 +0100 Subject: [PATCH] Adds selinux_update_kernel_param This is useful if the selinux kernel command line option is set in Grub config. Change-Id: I07c38a3c1815198bde164ad7146e1d1dcaac2cd8 Signed-off-by: Will Szumski --- ansible/roles/selinux/defaults/main.yml | 5 +++++ ansible/roles/selinux/tasks/main.yml | 1 + doc/source/configuration/reference/hosts.rst | 3 +++ .../adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml | 5 +++++ 4 files changed, 14 insertions(+) create mode 100644 releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml diff --git a/ansible/roles/selinux/defaults/main.yml b/ansible/roles/selinux/defaults/main.yml index 80481b39f..8966e67f3 100644 --- a/ansible/roles/selinux/defaults/main.yml +++ b/ansible/roles/selinux/defaults/main.yml @@ -11,3 +11,8 @@ selinux_do_reboot: false # Number of seconds to wait for hosts to become accessible via SSH after being # rebooted. selinux_reboot_timeout: + +# Whether or not to update the selinux kernel parameter. Can be useful if you +# have selinux= set on the kernel command line. Default is to use +# the module default. +selinux_update_kernel_param: "{{ omit }}" diff --git a/ansible/roles/selinux/tasks/main.yml b/ansible/roles/selinux/tasks/main.yml index 2e375d5a3..43551d998 100644 --- a/ansible/roles/selinux/tasks/main.yml +++ b/ansible/roles/selinux/tasks/main.yml @@ -16,6 +16,7 @@ selinux: policy: "{{ selinux_policy }}" state: "{{ selinux_state }}" + update_kernel_param: "{{ selinux_update_kernel_param }}" register: selinux_result vars: ansible_python_interpreter: /usr/bin/python3 diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index b8a79132d..6b08e84ab 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -560,6 +560,9 @@ the SELinux configuration. The timeout for waiting for systems to reboot is ``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting ``selinux_do_reboot`` to ``false``. +The ``selinux_update_kernel_param`` variable can be used to change the selinux +state set on the kernel command line; it takes a boolean value. + Network Configuration ===================== *tags:* diff --git a/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml b/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml new file mode 100644 index 000000000..44bea9790 --- /dev/null +++ b/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds the ``selinux_update_kernel_param`` variable which controls whether + the selinux kernel command line option is updated.