ceph-nfs: apply selinux fix anyway

Because ansible_distribution_version doesn't return minor version on
CentOS with ansible 2.8 we can apply the selinux anyway but only for
CentOS/RHEL 7.
Starting RHEL 8, there's a dedicated package for selinux called
nfs-ganesha-selinux [1].

Also replace the command module + semanage by the selinux_permissive
module.

[1] https://github.com/nfs-ganesha/nfs-ganesha/commit/a7911f

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>

diff --git a/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml b/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml
index b07b7c06e575f5aefe5c09ce5c2663cb1524a2bb..2d568af0a69026c21317e64b22955f1a4dad9d6c 100644 (file)
--- a/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml
+++ b/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml
@@ -6,25 +6,28 @@
   failed_when: false
   check_mode: no
 
-- name: install policycoreutils-python to get semanage
-  package:
-    name: policycoreutils-python
-    state: present
-  register: result
-  until: result is succeeded
+- name: if selinux is not disable
   when: selinuxstatus.stdout != 'Disabled'
+  block:
+    - name: install policycoreutils-python
+      package:
+        name: policycoreutils-python
+        state: present
+      register: result
+      until: result is succeeded
+      when: ansible_distribution_major_version == '7'
 
-- name: test if ganesha_t is already permissive
-  shell: |
-    semanage permissive -l | grep -soq ganesha_t
-  changed_when: false
-  failed_when: false
-  register: ganesha_t_permissive
+    - name: add ganesha_t to permissive domain
+      selinux_permissive:
+        name: ganesha_t
+        permissive: true
+      failed_when: false
+      when: ansible_distribution_major_version == '7'
 
-- name: run semanage permissive -a ganesha_t
-  command: semanage permissive -a ganesha_t
-  changed_when: false
-  failed_when: false
-  when:
-    - selinuxstatus.stdout != 'Disabled'
-    - ganesha_t_permissive.rc != 0
+    - name: install nfs-ganesha-selinux on RHEL 8
+      package:
+        name: nfs-ganesha-selinux
+        state: present
+      register: result
+      until: result is succeeded
+      when: ansible_distribution_major_version == '8'

diff --git a/roles/ceph-nfs/tasks/main.yml b/roles/ceph-nfs/tasks/main.yml
index 7c3821ec837b5f11724143760ff3dba583cd4cbf..e1c71978fd3d681ea56d3fc3c04dc35c85e7581a 100644 (file)
--- a/roles/ceph-nfs/tasks/main.yml
+++ b/roles/ceph-nfs/tasks/main.yml
@@ -24,7 +24,6 @@
   when:
     - not containerized_deployment
     - ansible_os_family == 'RedHat'
-    - ansible_distribution_version >= '7.4'
 
 - name: include start_nfs.yml
   import_tasks: start_nfs.yml