commit aa1e6421ac2250ab0a06077903b30c714719e50f
author car-da <30801113+car-da@users.noreply.github.com> Fri Oct 13 12:48:10 2017 +0200
committer Filip Pytloun <filip@pytloun.cz> Fri Oct 13 12:48:10 2017 +0200
tree 3f7d6b87e2e327d31596982a532049094aa82b7a
parent 281c9af41829bdcfe244fd493f02fdf55d21cb87

make all change in selinux mode persistent (#122)

* make all change in selinux mode persistent

* rework code to correspond with comments obtain from review about duplicity and useless code

* repair bad indent, remove bracket

linux/system/selinux.sls

diff --git a/linux/system/selinux.sls b/linux/system/selinux.sls
index ff1d84d..5bbd815 100644
--- a/linux/system/selinux.sls
+++ b/linux/system/selinux.sls
@@ -1,5 +1,5 @@
 {%- from "linux/map.jinja" import system with context %}
-{%- if system.enabled %}
+{%- if system.selinux is defined %}
 
 include:
 - linux.system.repo
@@ -7,24 +7,22 @@
 {%- if grains.os_family == 'RedHat' %}
 
 {%- if system.selinux == 'disabled' %}
+  {%- set mode = 'permissive' %}
+{%- else %}
+  {%- set mode = system.selinux %}
+{%- endif %}
 
 selinux_config:
   cmd.run:
-  - names:
-    - "sed -i 's/enforcing/disabled/g' /etc/selinux/config; setenforce 0"
-    - "sed -i 's/permissive/disabled/g' /etc/selinux/config; setenforce 0"
-  - unless: cat '/etc/selinux/config' | grep 'SELINUX=disabled'
-
-{%- else %}
-
-selinux_config:
-  selinux.mode:
-  - name: {{ system.get('selinux', 'permissive') }}
+  - name: "sed -i 's/SELINUX=[a-z][a-z]*$/SELINUX={{ system.selinux }}/' /etc/selinux/config"
+  - unless: grep 'SELINUX={{ system.selinux }}' /etc/selinux/config
   - require:
     - pkg: linux_repo_prereq_pkgs
 
-{%- endif %}
+{{ mode }}:
+  selinux.mode
 
 {%- endif %}
 
 {%- endif %}
+