selinux state not correct #14344
Description
Description of problem:
Running the ansible role rhel9 cis on a system sets selinux state to permissive, even if it should be enforcing. It is also set to permissive if this role is run on a system that is set to enforcing.
SCAP Security Guide Version:
ansible-role-rhel9-cis release 0.1.79
Operating System Version:
rhel 9.6
Steps to Reproduce:
- run ansible playbook with role ansible-role-rhel9-cis with tags selinux_state and selinux_not_disabled
- get selinux state on the system the playbook was running on
Actual Results:
$getenforce
Permissive
Expected Results:
$getenforce
Enforcing
Additional Information/Debugging Steps:
The task "Ensure SELinux is Not Disabled" sets the selinux mode to permissive. This is working as designed. Also sets the mode to permissive if it is already running at enforcing.
The task "Ensure SELinux State is Enforcing" should set the mode to enforcing. But it is skipped in the play since the condition check "selinux_state | bool" is wrong. The variable "selinux_state" is set to the output of task from the task before and is therefore no boolean value. The selinux mode stays at permissive.
The condition for selinux_state on "Ensure SELinux State is Enforcing" should be something like "selinux_state.stdout | lower != enforcing"