Essentially provide mechanisms to manage local customizations:
- Set enforcing/permissive
- restorecon portions of filesystem tree
- Set/Get Booleans
- Set/Get file contexts
- Manage logins
- Manage ports
Note: If you want to manage SELinux customizations in disabled mode, you need SELinux targeted policy installed.
See below
The role requires external collections. Use the following command to install them:
ansible-galaxy collection install -vv -r meta/collection-requirements.ymlGather state of SELinux modules
By default, the modifications specified in selinux_booleans,
selinux_fcontexts, selinux_ports and selinux_logins are applied on top of
pre-existing modifications. To purge local modifications prior to setting new
ones, set following variables to true:
selinux_booleans_purge- SELinux booleansselinux_fcontexts_purge- SELinux file contextsselinux_ports_purge- SELinux portsselinux_logins_purge- SELinux user mapping
You can purge all modifications by using selinux_all_purge: true:
selinux_all_purge: trueManage the SELinux policy type and mode.
selinux_policy: targeted
selinux_state: enforcingAllowed values for selinux_state are disabled, enforcing and permissive.
If selinux_state is not set, the SELinux state is not changed.
If selinux_policy is not set and SELinux is to be enabled, it defaults to
targeted. If SELinux is already enabled, the policy is not changed.
This uses the selinux module to manage the SELinux mode and policy.
Manage the state of SELinux booleans. This is a list of dict, where each
dict is in the same format as used by the
seboolean
module.
selinux_booleans:
- name: samba_enable_home_dirs
state: true
- name: ssh_sysadm_login
state: true
persistent: trueManage the state of SELinux file context mapping definitions. This is a list
of dict, where each dict is in the same format as used by the
sefcontext
module.
selinux_fcontexts:
- target: '/tmp/test_dir(/.*)?'
setype: 'user_home_dir_t'
ftype: d
state: presentUsers may also pass the following optional parameters:
seuser: to set the SELinux userselevel: to set the MLS/MCS Security Range (MLS/MCS Systems only). SELinux Range for SELinux login mapping defaults to the SELinux user record range.
Individual modifications can be dropped by setting state to absent.
Manage the state of SELinux port policy. This is a list of dict, where each
dict is in the same format as used by the
seport
module.
selinux_ports:
- ports: 22100
proto: tcp
setype: ssh_port_t
state: present
local: trueThis is a list of strings, where each string is a filesystem tree where you
want to run restorecon:
selinux_restore_dirs:
- /tmp/test_dirManage the linux user to SELinux user mapping. This is a list of dict,
where each dict is in the same format as used by the
selogin
module.
selinux_logins:
- login: plautrba
seuser: staff_u
state: absent
- login: default
seuser: staff_u
serange: s0-s0:c0.c1023
state: presentIt is possible to manage SELinux modules using selinux_modules variable
which would contain a list of dict, e.g.:
selinux_modules:
- path: localmodule.pp
state: enabled
- path: localmodule.cil
priority: 350
state: enabled
- name: unconfineduser
state: disabled
- name: localmodule
priority: 350
state: absentpath: a local module file (either .cil or .pp) to be installed on a node, used for installing new modulesname: module name, used for enabling disabled modules, disabling enabled modules, removing modulespriority: SELinux module priority, default is "400". "100" is used for modules installed from selinux-policy packages, "200" for other modules installed from 3rd party rpms, "300" is used by SETroubleshootstate: one of the following valuesenabled: install or enable moduledisabled: disable moduleabsent: remove module
Note: Building modules from source on nodes is not supported. However, in many cases a binary pp or cil module could be used on different systems if all systems support types, classes and permissions used in the module. In case of pp module it also needs to be built with the lowest supported policydb module version on target systems, i.e. on the oldest system.
Note: Module priorities are ignored in Red Hat Enterprise Linux 6
Note: Managing modules is idempotent only on Fedora, and EL 8.6 and later. You can manage modules on older releases, but it will not be idempotent.
This variable is used to handle reboots required by transactional updates. If a transactional update requires a reboot, the role will proceed with the reboot if selinux_transactional_update_reboot_ok is set to true. If set to false, the role will notify the user that a reboot is required, allowing for custom handling of the reboot requirement. If this variable is not set, the role will fail to ensure the reboot requirement is not overlooked.
selinux_transactional_update_reboot_ok: trueThis custom fact is set to true if system reboot is necessary when SELinux is
set from disabled to enabled or vice versa. Otherwise the fact is set to
false. In the case that system reboot is needed, it will be indicated by
returning failure from the role which needs to be handled using a
block:...rescue: construct. The reboot needs to be performed in the
playbook, the role itself never reboots the managed host. After the reboot the
role needs to be reapplied to finish the changes.
This custom fact represents SELinux module store structure
"selinux_installed_modules": {
<module name>: {
<module priority>: ("enabled"|"disabled"),
...
},
...
}e.g.
"ansible_facts": {
"selinux_installed_modules": {
"abrt": {
"100": "enabled",
"400": "disabled"
},
"accountsd": {
"100": "enabled"
},
"acct": {
"100": "enabled"
}
}
}NOTE: Module priority is set to "0" when priorities are not supported, e.g. on Red Hat Enterprise Linux 6
The general usage is demonstrated in selinux-playbook.yml playbook.
See README-ostree.md