SELinux

Expected functionality

Essentially provide mechanisms to manage local customizations:

  • Set enforcing/permissive

  • restorecon portions of filesystem tree

  • Set/Get Booleans

  • Set/Get file contexts

  • Manage logins

  • Manage ports

Available modules in Ansible

selinux: Configures the SELinux mode and policy.

seboolean: Toggles SELinux booleans.

sefcontext: Manages SELinux file context mapping definitions Similar to the semanage fcontext command.

seport: Manages SELinux network port type definitions.

Modules provided by this repository

selogin: Manages linux user to SELinux user mapping

Usage

The general usage is demonstrated in selinux-playbook.yml playbook.

selinux role

This role can be configured using variables as it is described below.

vars:
  [ see below ]
roles:
  - role: rhel-system-roles.selinux
    become: true
purge local modifications using appropriate variable
selinux_booleans_purge: true
selinux_fcontexts_purge: true
selinux_ports_purge: true
selinux_logins_purge: true
purge all local modifications using variable
selinux_all_purge: true
set SELinux policy type and mode
selinux_policy: targeted
selinux_state: enforcing
set SELinux booleans
selinux_booleans:
  - { name: 'samba_enable_home_dirs', state: 'on' }
  - { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }
Set SELinux file contexts
selinux_fcontexts:
  - { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd' }
Set SELinux ports
selinux_ports:
  - { ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present' }
run restorecon on filesystem trees
selinux_restore_dirs:
  - /tmp/test_dir
Set linux user to SELinux user mapping
    selinux_logins:
      - { login: 'plautrba', seuser: 'staff_u', state: 'absent' }
      - { login: '__default__', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }

Ansible Facts

selinux_reboot_required

This custom fact is set to true if system reboot is necessary when SELinux is set from disabled to enabled or vice versa. Otherwise the fact is set to false. In the case that system reboot is needed, it will be indicated by returning failure from the role which needs to be handled using a block:rescue: construct. The reboot needs to be performed in the playbook, the role itself never reboots the managed host. After the reboot the role needs to be reapplied to finish the changes.