SELinux

Expected functionality

Essentially provide mechanisms to manage local customizations:

  • Set enforcing/permissive

  • restorecon portions of filesystem tree

  • Set/Get Booleans

  • Set/Get file contexts

  • Manage logins

  • Manage ports

Available modules in Ansible

selinux: Configures the SELinux mode and policy.

seboolean: Toggles SELinux booleans.

sefcontext: Manages SELinux file context mapping definitions Similar to the +semanage fcontext+ command.

seport: Manages SELinux network port type definitions.

Modules provided by this repository

selogin: Manages linux user to SELinux user mapping

Usage

The general usage is demonstrated in selinux-playbook.yml playbook.

selinux role

This role can be configured using variables as it is described below.

vars:
  [ see below ]
roles:
  - role: fedora.linux_system_roles.selinux
    become: true
purge local modifications

By default, the modifications specified in +selinux_booleans+, +selinux_fcontexts+, +selinux_ports+ and +selinux_logins+ are applied on top of pre-existing modifications. To purge local modifications prior to setting new ones, set following variables to true:

  • SELinux booleans: +selinux_booleans_purge+

  • SELinux file contexts: +selinux_fcontexts_purge+

  • SELinux ports: +selinux_ports_purge+

  • SELinux user mapping: +selinux_logins_purge+

You can purge all modifications by using shorthand:

selinux_all_purge: true
set SELinux policy type and mode
selinux_policy: targeted
selinux_state: enforcing

Allowed values for +selinux_state+ are +disabled+, +enforcing+ and +permissive+.

If +selinux_state+ is not set, the SELinux state is not changed. If +selinux_policy+ is not set and SELinux is to be enabled, it defaults to +targeted+. If SELinux is already enabled, the policy is not changed.

set SELinux booleans
selinux_booleans:
  - { name: 'samba_enable_home_dirs', state: 'on' }
  - { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }
Set SELinux file contexts
selinux_fcontexts:
  - { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd', state: 'present' }

Individual modifications can be dropped by setting +state+ to +absent+.

Set SELinux ports
selinux_ports:
  - { ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present' }
run restorecon on filesystem trees
selinux_restore_dirs:
  - /tmp/test_dir
Set linux user to SELinux user mapping
    selinux_logins:
      - { login: 'plautrba', seuser: 'staff_u', state: 'absent' }
      - { login: '__default__', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }

Ansible Facts

selinux_reboot_required

This custom fact is set to +true+ if system reboot is necessary when SELinux is set from +disabled+ to +enabled+ or vice versa. Otherwise the fact is set to +false+. In the case that system reboot is needed, it will be indicated by returning failure from the role which needs to be handled using a +block:++rescue:+ construct. The reboot needs to be performed in the playbook, the role itself never reboots the managed host. After the reboot the role needs to be reapplied to finish the changes.