Use check for empty string

Signed-off-by: Radovan Sroka <[email protected]>

defaults/main.yml

@@ -8,17 +8,21 @@ fapolicyd_setup_enable_service: false
 
 # trust list for fapolicyd configuration file
 # default "rpmdb,file"
-fapolicyd_setup_trust: null
+fapolicyd_setup_trust: "{{ '' if ansible_facts.distribution_version is
+                          version('8.2', '<=') else 'rpmdb,file' }}"
 
 # set integrity
 # default "none"
 # can be "none", "size", "sha256", "ima"
 # in case of ima, kernel's IMA has to be setup correctly
-fapolicyd_setup_integrity: null
+fapolicyd_setup_integrity: "{{ '' if ansible_facts.distribution_version is
+                          version('8.3', '<=') else 'none' }}"
 
 # set permissive mode
 fapolicyd_setup_permissive: false
 
 # fapolicyd trust file managament
 # list of trusted files
-fapolicyd_add_trusted_file: []
+
+fapolicyd_add_trusted_file: "{{ '' if ansible_facts.distribution_version is
+                            version('8.2', '<=') else [] }}"

examples/minimal.yml

@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: MIT
+---
+- name: Minimal fapolicyd role invocation
+  hosts: all
+  roles:
+    - linux-system-roles.fapolicyd

tasks/enable.yml

@@ -6,7 +6,7 @@
       on EL version < 8.3
   ignore_errors: true
   when:
-    - fapolicyd_setup_trust is not none
+    - fapolicyd_setup_trust | length > 0
     - ansible_facts.distribution_version is version("8.2", "<=")
   register: __failed_check_trust
 
@@ -17,7 +17,7 @@
       on EL version < 8.4
   ignore_errors: true
   when:
-    - fapolicyd_setup_integrity is not none
+    - fapolicyd_setup_integrity | length > 0
     - ansible_facts.distribution_version is version("8.3", "<=")
   register: __failed_check_integrity
 
@@ -28,7 +28,7 @@
       on EL version < 8.4
   ignore_errors: true
   when:
-    - fapolicyd_add_trusted_file is not none
+    - fapolicyd_add_trusted_file | length > 0
     - ansible_facts.distribution_version is version("8.3", "<=")
   register: __failed_check_trusted_file
 
@@ -67,17 +67,16 @@
 
 - name: Trustdb cleanup
   command: fapolicyd-cli --file delete /
-  when: fapolicyd_add_trusted_file is not none
+  when: ansible_facts.distribution_version is version("8.3", ">=")
   changed_when: true
   failed_when: false
 
 - name: Add file to trustdb
-  command: fapolicyd-cli --file add "{{ item | quote }}"
+  command: fapolicyd-cli --file add {{ item | quote }}
   loop: "{{ (fapolicyd_add_trusted_file is string) |
     ternary([fapolicyd_add_trusted_file], fapolicyd_add_trusted_file) }}"
   when:
-    - fapolicyd_add_trusted_file is string or
-      fapolicyd_add_trusted_file | length > 0
+    - fapolicyd_add_trusted_file | length > 0
     - ansible_facts.distribution_version is version("8.3", ">=")
   changed_when: true
 

templates/fapolicyd.conf.j2

@@ -19,19 +19,14 @@ obj_cache_size = 8191
 watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660,btrfs
 {% endif %}
 
-{% if fapolicyd_setup_trust is not none
-  or ansible_facts.distribution_version is version("8.3", ">=") %}
-trust = {{ (fapolicyd_setup_trust is not none) | ternary(fapolicyd_setup_trust, "rpmdb,file") }}
+{% if fapolicyd_setup_trust | length > 0 %}
+trust = {{ fapolicyd_setup_trust }}
 {% endif %}
 
 {% if ansible_facts.distribution_version is version("8.3", ">=") %}
 syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust
 {% endif %}
 
-{% if fapolicyd_setup_integrity is not none
-  or ansible_facts.distribution_version is version("8.4", ">=") %}
-integrity = {{ (fapolicyd_setup_integrity is not none) | ternary(fapolicyd_setup_integrity, "none") }}
+{% if fapolicyd_setup_integrity | length > 0 %}
+integrity = {{ fapolicyd_setup_integrity }}
 {% endif %}
-
-#rpm_sha256_only = 0
-#allow_filesystem_mark = 0