Essentially provide mechanisms to manage local customizations:
- Set enforcing/permissive
- restorecon portions of filesystem tree
- Set/Get Booleans
- Set/Get file contexts
- Manage logins
- Manage ports
selinux: Configures the SELinux mode and policy.
seboolean: Toggles SELinux booleans.
sefcontext: Manages
SELinux file context mapping definitions Similar to the semanage fcontext
command.
seport: Manages SELinux network port type definitions.
selogin: Manages linux user to SELinux user mapping
The general usage is demonstrated in selinux-playbook.yml playbook.
This role can be configured using variables as it is described below.
vars:
[ see below ]
roles:
- role: linux-system-roles.selinux
become: true
By default, the modifications specified in selinux_booleans
, selinux_fcontexts
,
selinux_ports
and selinux_logins
are applied on top of pre-existing modifications.
To purge local modifications prior to setting new ones, set following variables to true:
- SELinux booleans:
selinux_booleans_purge
- SELinux file contexts:
selinux_fcontexts_purge
- SELinux ports:
selinux_ports_purge
- SELinux user mapping:
selinux_logins_purge
You can purge all modifications by using shorthand:
selinux_all_purge: true
selinux_policy: targeted
selinux_state: enforcing
Allowed values for selinux_state
are disabled
, enforcing
and permissive
.
If selinux_state
is not set, the SELinux state is not changed.
If selinux_policy
is not set and SELinux is to be enabled, it defaults to targeted
.
If SELinux is already enabled, the policy is not changed.
selinux_booleans:
- { name: 'samba_enable_home_dirs', state: 'on' }
- { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }
selinux_fcontexts:
- { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd', state: 'present' }
Individual modifications can be dropped by setting state
to absent
.
selinux_ports:
- { ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present' }
selinux_restore_dirs:
- /tmp/test_dir
selinux_logins:
- { login: 'plautrba', seuser: 'staff_u', state: 'absent' }
- { login: '__default__', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }
This custom fact is set to true
if system reboot is necessary when SELinux is set from disabled
to enabled
or vice versa. Otherwise the fact is set to false
. In the case that system reboot is needed, it will be indicated by returning failure from the role which needs to be handled using a block:
...rescue:
construct. The reboot needs to be performed in the playbook, the role itself never reboots the managed host. After the reboot the role needs to be reapplied to finish the changes.