Check Mode - Role always reports a pending change when selinux is enabled

Question

Check Mode - Role always reports a pending change when selinux is enabled

Closed this issue 4 years ago · 2 comments

dlouks commented 4 years ago

Describe the bug

When running this role in check mode with selinux enabled, this role will alway report a change.

To reproduce

With nginx_selinux_enforcing set to true, run the role, then run the role again with --check.

Expected behavior

No changes identified when running ansible in check mode.

dlouks commented 4 years ago

/assign

Answer 1 · 2022-01-25T22:17:13.000Z

I don't see a good way to get around turning off selinux and turning it back on, so technically this is a real change. However, this creates problems if you use check mode to detect if a change to a system is needed.

One option would be to skip this task when running in check mode and selinux is enabled.

- name: Set SELinux mode to permissive
  selinux:
    state: permissive
    policy: targeted
  when: not (ansible_check_mode and nginx_selinux_enforcing)