Make Ansible in accounts_passwords_pam_faillock_dir idempotent

Change the SELinux context of /var/log/faillock only if the current
context isn't correct.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6240

Author: jan-cerny

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/ansible/shared.yml

@@ -16,21 +16,29 @@
     - python3-policycoreutils
     - policycoreutils-python-utils
 
-- name: '{{{ rule_title }}} - Create the tally directory if it does not exist'
+- name: '{{{ rule_title }}} - Create the faillock directory if it does not exist'
   ansible.builtin.file:
     path: "{{ var_accounts_passwords_pam_faillock_dir }}"
     state: directory
     setype: 'faillog_t'
 
+- name: '{{{ rule_title }}} - Get SELinux context for faillock directory'
+  ansible.builtin.command: "ls -dZ {{ var_accounts_passwords_pam_faillock_dir }}"
+  register: faillock_selinux_context
+  changed_when: false
+  check_mode: false
+
 - name: '{{{ rule_title }}} - Ensure SELinux file context is permanently set'
   ansible.builtin.command:
     cmd: semanage fcontext -a -t faillog_t "{{ var_accounts_passwords_pam_faillock_dir }}(/.*)?"
   register: result_accounts_passwords_pam_faillock_dir_semanage
   failed_when: false
   changed_when:
     - result_accounts_passwords_pam_faillock_dir_semanage.rc == 0
+  when: '"faillog_t" not in faillock_selinux_context.stdout'
 
 - name: '{{{ rule_title }}} - Ensure SELinux file context is applied'
   ansible.builtin.command:
     cmd: restorecon -R "{{ var_accounts_passwords_pam_faillock_dir }}"
   register: result_accounts_passwords_pam_faillock_dir_restorecon
+  when: '"faillog_t" not in faillock_selinux_context.stdout'