# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low

- name: "{{{ rule_title }}} - Gather the package facts"
  ansible.builtin.package_facts:
    manager: auto

- name: {{{ rule_title }}} - Ensure a Final Rule Denying Everything
  ansible.builtin.copy:
    content: |
      {{%- if 'ol' not in families %}}
      # Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
      {{%- endif %}}
      deny perm=any all : all
    dest: /etc/fapolicyd/rules.d/99-deny-everything.rules
    owner: root
    group: fapolicyd
    mode: '0644'
  when:
    - '"fapolicyd" in ansible_facts.packages'
  register: result_fapolicyd_final_rule

- name: {{{ rule_title }}} - Ensure fapolicyd is Not Permissive
  ansible.builtin.lineinfile:
    path: /etc/fapolicyd/fapolicyd.conf
    regexp: '^(permissive\s*=).*$'
    line: '\1 0'
    backrefs: true
  when:
    - '"fapolicyd" in ansible_facts.packages'
  register: result_fapolicyd_enforced

- name: "{{{ rule_title }}} - Restart fapolicyd If Permissive Mode or Final Rule is Changed"
  ansible.builtin.service:
    name: fapolicyd
    state: restarted
  when:
    - '"fapolicyd" in ansible_facts.packages'
    - result_fapolicyd_final_rule is changed or result_fapolicyd_enforced is changed