enable variable to keep permissive

magicalyak · magicalyak · commit d66a8d6ae92d · 2020-06-24T12:22:55.000-04:00
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -15,6 +15,9 @@ app_protect_state: present
 # Enable enforcing selinux (you may need to open ports on your own)
 app_protect_selinux: false
 
+# Enable enforcing mode if true.  Permissive if false (audit only, no enforcing) globally (only works with app_protect_selinux: true)
+app_protect_selinux_enforcing: true
+
 # The installation of NGINX App Protect includes a base signature set, which may be out of date. 
 # This option installs the latest NGINX App Protect signatures.
 app_protect_install_signatures: true
diff --git a/tasks/configure-selinux.yml b/tasks/configure-selinux.yml
@@ -8,7 +8,6 @@
   selinux:
     state: permissive
     policy: targeted
-  when: app_protect_selinux
   changed_when: false
 
 - name: "(Install: SELinux: Booleans) Allow HTTP network connection"
@@ -126,4 +125,5 @@
   selinux:
     state: enforcing
     policy: targeted
-  changed_when: false
+  changed_when: false
+  when: app_protect_selinux_enforcing
