From fd8bea69458b8bb18507198c1ff3c034f9ac681c Mon Sep 17 00:00:00 2001
From: Michele Pagot <michele.pagot@suse.com>
Date: Thu, 11 Dec 2025 17:24:57 +0100
Subject: [PATCH 1/2] LogDenial and Selinux

---
 .../tasks/post_install/firewall.yml           | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml b/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml
index a11661b6..f5eb51e6 100644
--- a/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml
+++ b/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml
@@ -7,6 +7,13 @@
     enabled: yes
   tags: sap_hana_install_configure_firewall
 
+- name: SAP HANA Post Install - Set LogDenied to all in firewalld.conf
+  ansible.builtin.lineinfile:
+    path: /etc/firewalld/firewalld.conf
+    regexp: '^LogDenied=off'
+    line: 'LogDenied=all'
+  tags: sap_hana_install_configure_firewall
+
 - name: SAP HANA Post Install - Construct the argument list for 'firewall-cmd --add-port'
   ansible.builtin.set_fact:
     __sap_hana_install_fact_firewall_cmd_args:
@@ -69,3 +76,16 @@
   ansible.builtin.debug:
     var: __sap_hana_install_register_permanent_firewall_ports.stdout_lines
   tags: sap_hana_install_configure_firewall
+
+- name: SAP HANA Post Install - Add SELinux port labels
+  # Note: The 'semanage port' command uses a dash '-' to define port ranges,
+  #       e.g., 'semanage port -a -t sap_port_t -p tcp 30000-30010'
+  ansible.builtin.command: "semanage port -a -t sap_port_t -p {{ item.split('/')[1] }} {{ item.split('/')[0] }}"
+  loop: "{{ sap_hana_install_firewall[0].port }}"
+  when: sap_hana_install_firewall[0].state == 'enabled'
+  register: __sap_hana_install_register_semanage_ports
+  changed_when: __sap_hana_install_register_semanage_ports.rc == 0
+  failed_when:
+    - __sap_hana_install_register_semanage_ports.rc != 0
+    - "'Port is already defined' not in __sap_hana_install_register_semanage_ports.stderr"
+  tags: sap_hana_install_configure_firewall

From 681d42406c3f59b7f46022f9e9ba93a425e06d04 Mon Sep 17 00:00:00 2001
From: Michele Pagot <michele.pagot@suse.com>
Date: Mon, 15 Dec 2025 17:18:03 +0100
Subject: [PATCH 2/2] Refactor firewall management

Introduces a new variable `firewall_cfg` in the `sap-hana-preconfigure`
playbook to provide more explicit control over the firewalld service.
This new variable allows to 'enable', 'disable', or 'ignore' the
firewall configuration.
The `sap_hana_install` role is updated to delegate the firewall
service management to the preconfigure playbook, avoiding conflicts
and centralizing the configuration.
The documentation has been updated to reflect these changes.
---
 .../roles/sap_hana_install/README.md          |  3 +-
 .../tasks/post_install/firewall.yml           | 13 +++----
 ansible/playbooks/sap-hana-preconfigure.yaml  | 34 +++++++++++++++++++
 3 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/ansible/playbooks/roles/sap_hana_install/README.md b/ansible/playbooks/roles/sap_hana_install/README.md
index 68a7411b..238c952d 100644
--- a/ansible/playbooks/roles/sap_hana_install/README.md
+++ b/ansible/playbooks/roles/sap_hana_install/README.md
@@ -140,7 +140,8 @@ or if it will add further hosts to an existing SAP HANA system as specified by v
 `sap_hana_install_addhosts`. Default is `yes` for a fresh SAP HANA installation.
 
 The role can be configured to also set the required firewall ports for SAP HANA. If this is desired, set
-the variable `sap_hana_install_update_firewall` to `yes` (default is `no`). The firewall ports are defined
+the variable `sap_hana_install_update_firewall` to `yes` (default is `no`, that means the role will not touch
+any firewall related system settings, leaving whatever the system has unchanged). The firewall ports are defined
 in a variable which is compatible with the variable structure used by Linux System Role `firewall`.
 The firewall ports for SAP HANA are defined in member `port` of the first field of variable
 `sap_hana_install_firewall` (`sap_hana_install_firewall[0].port`), see file `defaults/main.yml`. If the
diff --git a/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml b/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml
index f5eb51e6..92e212e2 100644
--- a/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml
+++ b/ansible/playbooks/roles/sap_hana_install/tasks/post_install/firewall.yml
@@ -1,11 +1,12 @@
 ---
 
-- name: SAP HANA Post Install - Enable and start the firewalld service
-  ansible.builtin.systemd:
-    name: firewalld
-    state: started
-    enabled: yes
-  tags: sap_hana_install_configure_firewall
+# Controlled by sap-hana-preconfigure.yaml playbook
+#- name: SAP HANA Post Install - Enable and start the firewalld service
+#  ansible.builtin.systemd:
+#    name: firewalld
+#    state: started
+#    enabled: yes
+#  tags: sap_hana_install_configure_firewall
 
 - name: SAP HANA Post Install - Set LogDenied to all in firewalld.conf
   ansible.builtin.lineinfile:
diff --git a/ansible/playbooks/sap-hana-preconfigure.yaml b/ansible/playbooks/sap-hana-preconfigure.yaml
index 831cc85f..a9192598 100644
--- a/ansible/playbooks/sap-hana-preconfigure.yaml
+++ b/ansible/playbooks/sap-hana-preconfigure.yaml
@@ -24,6 +24,7 @@
     use_connecttimeout: 10
     saptune_solution: HANA
     cluster_node: true
+    firewall_cfg: 'ignore'
 
   tasks:
     # Ensure required installation of required packages
@@ -75,6 +76,39 @@
         state: present
       when: cluster_node | bool
 
+    - name: Validate firewall_cfg
+      ansible.builtin.assert:
+        that:
+          - firewall_cfg is defined
+          - firewall_cfg in ['ignore', 'enable', 'disable']
+        fail_msg: "Variable 'firewall_cfg' must be 'ignore', 'enable' or 'disable'. Found '{{ firewall_cfg }}'"
+
+    - name: Get service facts
+      ansible.builtin.service_facts:
+
+    - name: Debug firewall status on specific OS version
+      ansible.builtin.debug:
+        msg:
+          - "[OSADO][softfail] bsc#1254356"
+          - "The firewalld service is not stopped and disabled on this system."
+      when:
+        - ansible_distribution_major_version == '16'
+        - firewall_cfg != 'ignore'  # avoid to hide the bug by forcing the firewall state
+        - "'firewalld' in ansible_facts.services"
+        - ansible_facts.services['firewalld'].state != 'stopped' or ansible_facts.services['firewalld'].status != 'disabled'
+
+    - name: Set firewall service state and enabled status
+      ansible.builtin.set_fact:
+        firewall_service_state: "{{ 'started' if firewall_cfg == 'enable' else 'stopped' }}"
+        firewall_service_enabled: "{{ 'yes' if firewall_cfg == 'enable' else 'no' }}"
+
+    - name: Configure the firewall service state
+      ansible.builtin.systemd:
+        name: firewalld
+        state: "{{ firewall_service_state }}"
+        enabled: "{{ firewall_service_enabled }}"
+      when: firewall_cfg != 'ignore'
+
     - name: Configure sapconf based systems
       ansible.builtin.include_tasks: ./tasks/sapconf.yaml
       when: use_sapconf | bool