FlatKey.selinux
ansible-selinux-role
=========
This role helps you set up and manage SELinux.
Configuration Options:
- policy: Specify the SELinux policy mode.
- state: Define the state of SELinux (enforcing, permissive, or disabled).
- booleans: Control various SELinux options.
- ports: Set the ports SELinux uses.
- fcontexts: Manage file contexts for SELinux.
Requirements
- This role has been tested only on RHEL 7 and CentOS 7.
- Ansible version 2.0 or higher is needed.
Role Variables
You don't need to use all the variables. Pick only what you need.
Configure SELinux Policy and State:
selinux_config: (optional, default: /etc/selinux/config)
selinux_policy: (optional, default: targeted)
selinux_state:  (optional, values: enforcing | permissive | disabled, default: enforcing)
Toggle SELinux Booleans:
selinux_boolean: 
  name_of_selinux_boolean:
    state: (optional, values: yes | no, default: yes)
    persistent: (optional, values: yes | no, default: yes)
Configure SELinux Ports:
selinux_ports: 
  name_of_selinux_type:
    ports: (required, specify a port or range)
    protocol: (optional, values: tcp | udp, default: tcp)
    state: (optional, values: present | absent, default: present)
Configure SELinux File Contexts:
selinux_fcontext: 
  name_of_selinux_fcontext: (your choice for clarity in your playbook)
    file_spec: (required, regex to define affected files)
    setype: (required, existing SELinux type for labeling files)
    ftype: (optional, values: a | b | c | d | f | l | p | s; for file type, default: a - all files)
    state: (optional, values: present | absent, default: present)
Example Playbook
- hosts: server
  become: yes
  become_user: root
  become_method: su
  roles:
    - { role: ansible-selinux-role }
  vars:
    selinux_policy: "targeted"
    selinux_state: "enforcing"
    selinux_boolean:
      antivirus_can_scan_system:
        state: yes
        persistent: yes
      httpd_can_sendmail:
        state: yes
        persistent: yes
    selinux_ports:
      ssh_port_t:
        ports: 2222
        protocol: tcp
        state: present
      http_port_t:
        ports: 9000-9004
        protocol: tcp
        state: present
    selinux_fcontext:
      vcloud_documentroot:
        file_spec: "/srv/www(.*)"
        setype: httpd_sys_rw_content_t
        ftype: a
        state: present
License
MIT
