Notable Changes
Note that the changes are not backward compatible and it is necessary to update playbooks that use them.
-
The following variables have been renamed according to common conventions and to improve consistency with the selinux module:
SELinux_typetoselinux_policySELinux_modetoselinux_stateSELinux_booleanstoselinux_booleansSELinux_file_contextstoselinux_file_contextsSELinux_restore_dirstoselinux_restore_dirsSELinux_portstoselinux_portsSELinux_loginstoselinux_logins
-
The
selinux_change_runningvariable was removed without a functional change, as the role has been always changing the running state and the variable was effectively ignored. -
Local modifications to file contexts, ports, logins, and booleans are no longer dropped by default. The modifications specified in
selinux_booleans,selinux_file_contexts,selinux_portsandselinux_loginsare applied on top of pre-existing modifications. To obtain the previous behavior, set the new variablesselinux_booleans_purge,selinux_fcontexts_purge,selinux_ports_purgeandselinux_logins_purge(or justselinux_all_purge) toTrue. -
Dictionaries that are passed to the
selinux_file_contextsvariable now provide the newstateoption, which is set topresentby default. Setting it toabsentdrops individual modifications to file contexts. -
If the
selinux_stateorselinux_policyvariables are not defined, theselinuxrole preserves previous values. Only if the SELinux policy is not defined on the system and SELinux is enabled by the role,selinux_policydefaults totargeted. -
Behavior in cases when a reboot is needed to apply the settings has been redefined. The
selinuxrole now fails with an explanatory error message and sets theselinux_reboot_requiredcustom fact toTrue. The role never reboots the managed host itself. The error needs to be handled in the playbook by using theblockdirective, and after rebooting the system, the role needs to be applied again. An example is shown in the providedselinux-playbook.ymlplaybook.