Essentially provide mechanisms to manage local customizations:
- Set enforcing/permissive
- restorecon portions of filesystem tree
- Set/Get Booleans
- Set/Get file contexts
- Manage logins
- Manage ports
selinux: Configures the SELinux mode and policy.
seboolean: Toggles SELinux booleans.
sefcontext: Manages
SELinux file context mapping definitions similar to the semanage fcontext
command.
seport: Manages SELinux network port type definitions.
The role requires some SELinux modules. If you are using ansible-core
, you must
get these from the ansible.posix
and community.general
collections. Use the
file meta/collection-requirements.yml
to install these:
ansible-galaxy collection install -vv -r meta/collection-requirements.yml
If you are using Ansible Engine 2.9, or are using an Ansible bundle which includes these collections/modules, you should have to do nothing.
selinux_modules_facts
: Gather state of SELinux modules
The general usage is demonstrated in selinux-playbook.yml playbook.
This role can be configured using variables as it is described below.
vars:
[ see below ]
roles:
- role: linux-system-roles.selinux
become: true
By default, the modifications specified in selinux_booleans
, selinux_fcontexts
,
selinux_ports
and selinux_logins
are applied on top of pre-existing modifications.
To purge local modifications prior to setting new ones, set following variables to true:
- SELinux booleans:
selinux_booleans_purge
- SELinux file contexts:
selinux_fcontexts_purge
- SELinux ports:
selinux_ports_purge
- SELinux user mapping:
selinux_logins_purge
You can purge all modifications by using shorthand:
selinux_all_purge: true
selinux_policy: targeted
selinux_state: enforcing
Allowed values for selinux_state
are disabled
, enforcing
and permissive
.
If selinux_state
is not set, the SELinux state is not changed.
If selinux_policy
is not set and SELinux is to be enabled, it defaults to targeted
.
If SELinux is already enabled, the policy is not changed.
selinux_booleans:
- { name: 'samba_enable_home_dirs', state: 'on' }
- { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }
selinux_fcontexts:
- { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd', state: 'present' }
Users may also pass the following optional parameters:
seuser
: to set the SELinux userselevel
: to set the MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range.
Individual modifications can be dropped by setting state
to absent
.
selinux_ports:
- { ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present' }
selinux_restore_dirs:
- /tmp/test_dir
selinux_logins:
- { login: 'plautrba', seuser: 'staff_u', state: 'absent' }
- { login: '__default__', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }
It is possible to maintain SELinux modules using selinux_modules
variable which would contain a list of dictionaries, e.g.:
selinux_modules:
- { path: 'localmodule.pp', state: 'enabled' }
- { path: 'localmodule.cil', priority: '350', state: 'enabled' }
- { name: 'unconfineduser', state: 'disabled' }
- { name: 'localmodule', priority: '350', state: 'absent' }
path
: a local module file (either .cil or .pp) to be installed on a node, used for installing new modulesname
: module name, used for enabling disabled modules, disabling enabled modules, removing modulespriority
: SELinux module priority, default is "400". "100" is used for modules installed from selinux-policy packages, "200" for other modules installed from 3rd party rpms, "300" is used by SETroubleshootstate
:
enabled
: install or enable moduledisabled
: disable moduleabsent
: remove module
Note: Building modules from source on nodes is not supported. However, in many cases a binary pp or cil module could be used on different systems if all systems support types, classes and permissions used in the module. In case of pp module it also needs to be built with the lowest supported policydb module version on target systems, i.e. on the oldest system.
Note: Module priorities are ignored in Red Hat Enterprise Linux 6
This custom fact is set to true
if system reboot is necessary when SELinux is set from disabled
to enabled
or vice versa. Otherwise the fact is set to false
. In the case that system reboot is needed, it will be indicated by returning failure from the role which needs to be handled using a block:
...rescue:
construct. The reboot needs to be performed in the playbook, the role itself never reboots the managed host. After the reboot the role needs to be reapplied to finish the changes.
This custom fact represents SELinux module store structure
selinux_installed_modules = {
<module name>: {
<module priority>: ("enabled"|"disabled"),
...
},
...
}
e.g.
"ansible_facts": {
"selinux_installed_modules": {
"abrt": {
"100": "enabled",
"400": "disabled"
},
"accountsd": {
"100": "enabled"
},
"acct": {
"100": "enabled"
}
}
}
NOTE: Module priority is set to "0" when priorities are not supported, e.g. on Red Hat Enterprise Linux 6