Adds selinux_update_kernel_param

This is useful if the selinux kernel command line option is set in Grub
config.

Change-Id: I07c38a3c1815198bde164ad7146e1d1dcaac2cd8
Signed-off-by: Will Szumski <will@stackhpc.com>

ansible/roles/selinux/defaults/main.yml

@@ -11,3 +11,8 @@ selinux_do_reboot: false
 # Number of seconds to wait for hosts to become accessible via SSH after being
 # rebooted.
 selinux_reboot_timeout:
+
+# Whether or not to update the selinux kernel parameter. Can be useful if you
+# have selinux=<some value> set on the kernel command line. Default is to use
+# the module default.
+selinux_update_kernel_param: "{{ omit }}"

ansible/roles/selinux/tasks/main.yml

@@ -16,6 +16,7 @@
   selinux:
     policy: "{{ selinux_policy }}"
     state: "{{ selinux_state }}"
+    update_kernel_param: "{{ selinux_update_kernel_param }}"
   register: selinux_result
   vars:
     ansible_python_interpreter: /usr/bin/python3

doc/source/configuration/reference/hosts.rst

@@ -560,6 +560,9 @@ the SELinux configuration. The timeout for waiting for systems to reboot is
 ``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting
 ``selinux_do_reboot`` to ``false``.
 
+The ``selinux_update_kernel_param`` variable can be used to change the selinux
+state set on the kernel command line; it takes a boolean value.
+
 Network Configuration
 =====================
 *tags:*

releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds the ``selinux_update_kernel_param`` variable which controls whether
+    the selinux kernel command line option is updated.