---

- name: "1.6.1.1 | PATCH | Ensure SELinux is installed"
  package:
      name: libselinux
      state: present
  when:
      - rhel9cis_rule_1_6_1_1
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - rule_1.6.1.1

- name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration"
  replace:
      dest: /etc/default/grub
      regexp: 'selinux=0'
      replace: ''
  register: selinux_grub_patch
  ignore_errors: yes
  notify: grub2cfg
  when:
      - rhel9cis_rule_1_6_1_2
  tags:
      - level1-server
      - level1-workstation
      - scored
      - patch
      - rule_1.6.1.2

# State set to enforcing because control 1.6.1.5 requires enforcing to be set
- name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured"
  selinux:
      conf: /etc/selinux/config
      policy: "{{ rhel9cis_selinux_pol }}"
      state: enforcing
  when:
      - not rhel9cis_selinux_disable
      - rhel9cis_rule_1_6_1_3
  tags:
      - level1-server
      - level1-workstation
      - automated
      - selinux
      - patch
      - rule_1.6.1.3

- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing"
  selinux:
      conf: /etc/selinux/config
      policy: "{{ rhel9cis_selinux_pol }}"
      state: enforcing
  when:
      - not rhel9cis_selinux_disable
      - rhel9cis_rule_1_6_1_4
  tags:
      - level2-server
      - level2-workstation
      - automated
      - selinux
      - patch
      - rule_1.6.1.4

- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist"
  block:
      - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services"
        shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
        register: rhelcis_1_6_1_5_unconf_services
        failed_when: false
        changed_when: false

      - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services"
        debug:
            msg: "Good News! There are no services found on your system"
        when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0

      - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services"
        debug:
            msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}"
        when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0

      - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count"
        set_fact:
            control_number: "{{ control_number }} + [ 'rule_1.6.1.5 ]"
            warn_count: "{{ warn_count|int + 1 }}"
        when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0
  when:
      - rhel9cis_rule_1_6_1_5
  tags:
      - level1-server
      - level1-workstation
      - automated
      - audit
      - services
      - rule_1.6.1.5

- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed"
  package:
      name: setroubleshoot
      state: absent
  when:
      - rhel9cis_rule_1_6_1_6
      - "'setroubleshoot' in ansible_facts.packages"
  tags:
      - level1-server
      - automated
      - selinux
      - patch
      - rule_1.6.1.6

- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
  package:
      name: mcstrans
      state: absent
  when:
      - rhel9cis_rule_1_6_1_7
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - rule_1.6.1.7