Fix SELinux ansible variable name conflict#14346
Merged
Mab879 merged 1 commit intoComplianceAsCode:masterfrom Jan 30, 2026
Merged
Fix SELinux ansible variable name conflict#14346Mab879 merged 1 commit intoComplianceAsCode:masterfrom
Mab879 merged 1 commit intoComplianceAsCode:masterfrom
Conversation
The ansible remediation for both selinux_not_disabled and selinux_state rules were using 'selinux_state' as the registered variable name for the output of the 'getenforce' command. This created a naming conflict with the 'selinux_state' boolean control (which comes from the rule id) variable used in the when conditions to determine if a rule should be applied. When roles are generated, the 'Check current SELinux state' task includes a when condition with 'selinux_state | bool' (coming from the rule id), but this creates a circular dependency since that same task is supposed to register 'selinux_state'. As a result, the task gets skipped, the variable never gets registered, and subsequent tasks that depend on checking the current SELinux state fail or are skipped. This fix renames the registered variable from 'selinux_state' to 'current_selinux_state' in both ansible remediation files to avoid the naming conflict. Fixes: ComplianceAsCode#14344
|
@ggbecker: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
ATEX Test ResultsTest artifacts have been submitted to Testing Farm. Results: View Test Results This comment was automatically generated by the ATEX workflow. |
Mab879
approved these changes
Jan 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
The ansible remediation for both selinux_not_disabled and selinux_state rules were using 'selinux_state' as the registered variable name for the output of the 'getenforce' command. This created a naming conflict with the 'selinux_state' boolean control (which comes from the rule id) variable used in the when conditions to determine if a rule should be applied.
When roles are generated, the 'Check current SELinux state' task includes a when condition with 'selinux_state | bool' (coming from the rule id), but this creates a circular dependency since that same task is supposed to register 'selinux_state'.
As a result, the task gets skipped, the variable never gets registered, and subsequent tasks that depend on checking the current SELinux state fail or are skipped.
This fix renames the registered variable from 'selinux_state' to 'current_selinux_state' in both ansible remediation files to avoid the naming conflict.
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes selinux state not correct #14344