common: Reinstall selinux-policy-targeted if needed

This ensures module file integrity so we can build the nrpe selinux
module in the proceeding tasks.

Fixes: http://tracker.ceph.com/issues/19126
Signed-off-by: David Galloway <dgallowa@redhat.com>

diff --git a/roles/common/tasks/nrpe-selinux.yml b/roles/common/tasks/nrpe-selinux.yml
index 4cd0dbe0a647e833239565c55cf052568c26ea67..d254df3fc70a9a85c079a1b2551716dbf402c767 100644 (file)
--- a/roles/common/tasks/nrpe-selinux.yml
+++ b/roles/common/tasks/nrpe-selinux.yml
@@ -20,7 +20,7 @@
     state: yes
     persistent: yes
 
-# See http://tracker.ceph.com/issues/19126
+# See http://tracker.ceph.com/issues/19126 for details on next 3 tasks
 - name: nrpe - Clean up cephlab SELinux policy modules
   file:
     path: "/etc/selinux/targeted/active/modules/400/{{ item }}"
@@ -29,6 +29,21 @@
     - mod_fastcgi
     - nrpe
 
+# abrt was just chosen since it's first in the dir and
+# included with the selinux-policy-targeted package.
+- name: Check for empty SELinux module file
+  stat:
+    path: /etc/selinux/targeted/active/modules/100/abrt/lang_ext
+  register: selinux_module_status
+
+# ignore_errors in case the package isn't available or installed.
+# The ansible yum module doesn't appear to have a reinstall option.
+- name: Reinstall selinux-policy-targeted if modules are corrupt
+  command: yum -y reinstall selinux-policy-targeted
+  when: selinux_module_status.stat.exists == true and
+        selinux_module_status.stat.size == 0
+  ignore_errors: true
+
 - name: nrpe - Remove SELinux policy package
   command: semodule -r nrpe
   failed_when: false