--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Install packages for AppArmor support (for V-51337) apt: name: "{{ item }}" state: "{{ security_package_state }}" with_items: - apparmor - apparmor-profiles - apparmor-utils when: - ansible_os_family == "Debian" - security_enable_linux_security_module | bool tags: - cat2 - V-51337 - name: Ensure AppArmor is running (for V-51337) service: name: apparmor state: started enabled: yes when: - ansible_os_family == "Debian" - security_enable_linux_security_module | bool - not check_mode tags: - cat2 - V-51337 - name: Install packages for SELinux support (for V-51337) yum: name: "{{ item }}" state: "{{ security_package_state }}" with_items: - libselinux-python - policycoreutils-python - selinux-policy - selinux-policy-targeted when: - ansible_os_family == "RedHat" - security_enable_linux_security_module | bool tags: - cat2 - V-51337 - name: Ensure SELinux is in enforcing mode on the next reboot (for V-51337) selinux: state: enforcing policy: targeted register: selinux_status_change when: - ansible_os_family == "RedHat" - security_enable_linux_security_module | bool - not check_mode tags: - cat2 - V-51337 - name: Relabel files on next boot if SELinux mode changed (for V-51337) file: path: /.autorelabel state: touch when: - ansible_os_family == "RedHat" - security_enable_linux_security_module | bool - selinux_status_change | changed tags: - cat2 - V-51337