Fixed selinux status check

[martinbydefault]

I've tested this in CentOS 7 and sestatus.rc is always 0 (Disabled, Permissive or Enforcing).
So I think is best to check if .stdout is different from Disabled.

[rndmh3ro]

Thanks for that PR! You're right, this is definetly a bug.

However the tests are failing because if selinux isn't installed at all, getenforce will have no stdout and the variable-check will fail.

As I just found out, there's a selinux fact thats gathered in the setup-phase.
Here's the output if selinux is not installed:

root@ssh-debian-8:/tmp/kitchen# ansible -i hosts localhost -m setup | grep -A 2 selinux
        "ansible_selinux": {
            "status": "disabled"
        }, 

And here's the output when it is installed and enforcing:

[root@ssh-centos-7 kitchen]# ansible -i hosts localhost -m setup | grep -A 10 selinux
        "ansible_selinux": {
            "config_mode": "enforcing", 
            "mode": "enforcing", 
            "policyvers": 28, 
            "status": "enabled", 
            "type": "targeted"
        }, 

So we could remove the whole custom check and change the usage of sestatus.rc and sestatus.stdout to ansible_selinux.status and ansible_selinux.mode.

Do you want to update your PR to reflect these changes?

[martinbydefault]

I submitted the changes but now I'm getting this error in the Travis tests:

The conditional check 'ansible_selinux.status == 'enabled'' failed. The error was: error while evaluating conditional (ansible_selinux.status == 'enabled'): 'bool object' has no attribute 'status'

I suspect it's because the package libselinux-python is not installed when running the tests: ansible/ansible#16612

[rndmh3ro]

So I just had a moment of truth and remembered, why I wrote these tasks the way they are:
The following task does not check if selinux is running (despite the name of the task says this), but it checks if selinux is installed:

- name: test to see if selinux is running
  command: getenforce
  register: sestatus
  failed_when: false
  changed_when: false
  check_mode: no

This happens in the form that the rc-code of getenforce is 0 when getenforce exists and therefore selinux is installed. If getenforce does not exist and therefore selinux is not installed, the rc-code is 2.

The next steps (ssh_password module installation) run regardless of whether selinux is in enforcing mode or not. This means that if one sets selinux to enforcing after running the role, the ssh_password-module is already installed and activated.

Therefore this works as intended, however the comment is wrong. It should be - block: # only runs when selinux is installed.

Sorry for the confusion and your wasted work. However I learned something new here about ansible! :)

[martinbydefault]

I don't consider it a waste of work, I also learned a couple of things 😄
Thanks for the support!