linux-system-roles.selinux

Panoramica Versioni Approfondimenti

SELinux

ansible-lint ansible-test codeql markdownlint python-unit-test tft tft_citest_bad woke

Expected Functionality

This role is designed to help manage local SELinux settings, which include:

  • Setting SELinux to enforcing or permissive mode
  • Restoring the context of parts of the file system
  • Adjusting SELinux Boolean values
  • Setting and getting file contexts
  • Managing user logins
  • Managing network ports

Note: For managing SELinux in disabled mode, you must have the targeted policy installed.

Requirements

See below for details.

Collection Requirements

This role needs additional Ansible collections. You can install them using the command:

ansible-galaxy collection install -vv -r meta/collection-requirements.yml

Modules Provided by This Repository

selinux_modules_facts

Collects information about the state of SELinux modules.

Role Variables

Purging Local Modifications

By default, new modifications in selinux_booleans, selinux_fcontexts, selinux_ports, and selinux_logins are added on top of existing settings. To remove existing modifications before applying new ones, set the following variables to true:

  • selinux_booleans_purge - for SELinux booleans
  • selinux_fcontexts_purge - for SELinux file contexts
  • selinux_ports_purge - for SELinux ports
  • selinux_logins_purge - for SELinux user mappings

To purge all modifications, set selinux_all_purge to true:

selinux_all_purge: true

SELinux Policy and State

Manage SELinux policy type and mode with:

selinux_policy: targeted
selinux_state: enforcing

Possible values for selinux_state are disabled, enforcing, and permissive. If not set, the SELinux state remains unchanged. If SELinux is being enabled without a specific policy, it defaults to targeted.

This uses the selinux module for managing SELinux mode and policy.

SELinux Booleans

Control the state of SELinux booleans with a list of dictionaries. Each dictionary uses the format specified by the seboolean module.

selinux_booleans:
  - name: samba_enable_home_dirs
    state: true
  - name: ssh_sysadm_login
    state: true
    persistent: true

SELinux File Contexts

Manage SELinux file context mappings using a list of dictionaries, similar to the sefcontext module.

selinux_fcontexts:
  - target: '/tmp/test_dir(/.*)?'
    setype: 'user_home_dir_t'
    ftype: d
    state: present

You can optionally specify:

  • seuser: to set the SELinux user
  • selevel: to set the Security Range (relevant for MLS/MCS systems).

To remove a mapping, set state to absent.

SELinux Ports

Manage SELinux port policies with a list of dictionaries, as in the seport module.

selinux_ports:
  - ports: 22100
    proto: tcp
    setype: ssh_port_t
    state: present
    local: true

Restore SELinux Contexts

Specify directories where you want to run restorecon using a list of strings:

selinux_restore_dirs:
  - /tmp/test_dir

SELinux Logins

Manage user translations between Linux and SELinux using a list of dictionaries, as seen in the selogin module.

selinux_logins:
  - login: plautrba
    seuser: staff_u
    state: absent
  - login: default
    seuser: staff_u
    serange: s0-s0:c0.c1023
    state: present

SELinux Modules

You can manage SELinux modules with the selinux_modules variable, which is a list of dictionaries:

selinux_modules:
  - path: localmodule.pp
    state: enabled
  - path: localmodule.cil
    priority: 350
    state: enabled
  - name: unconfineduser
    state: disabled
  - name: localmodule
    priority: 350
    state: absent
  • path: a file to install modules on a node
  • name: to enable, disable, or remove modules
  • priority: sets the module priority
  • state: choose from enabled, disabled, or absent

Note: Building modules from source on nodes is not supported. Using binary modules is allowed if all systems support related types, classes, and permissions.

Note: Module priorities are ignored in Red Hat Enterprise Linux 6.

Note: Module management is idempotent only on Fedora, and EL 8.6 or newer versions.

Handling Reboots After Transactions

To manage reboots needed after transactional updates, use the variable:

selinux_transactional_update_reboot_ok: true

If set to true, automatic reboots will occur. If false, the user will be informed that a reboot is needed. If unset, the role will fail if a reboot is required.

Ansible Facts

Check for Reboots Needed

The fact selinux_reboot_required shows if a reboot is necessary when changing SELinux settings. If true, signal a failure from the role, requiring a block:...rescue: structure in your playbook. After rebooting, the role must be reapplied to complete changes.

Installed SELinux Modules

The custom fact selinux_installed_modules provides the structure of installed SELinux modules:

"selinux_installed_modules": {
  <module name>: {
    <module priority>: ("enabled"|"disabled"),
    ...
  },
  ...
}

Example:

"ansible_facts": {
  "selinux_installed_modules": {
    "abrt": {
      "100": "enabled",
      "400": "disabled"
    },
    "accountsd": {
      "100": "enabled"
    },
    "acct": {
      "100": "enabled"
    }
  }
}

NOTE: Module priority is set to "0" when not supported (e.g., Red Hat Enterprise Linux 6).

Examples

The general usage is shown in the selinux-playbook.yml playbook.

rpm-ostree

See README-ostree.md for more information.

Informazioni sul progetto

Configure SELinux

role centos el6 el7 el8 el9 el10 fedora redhat rhel selinux system
Installa
ansible-galaxy install linux-system-roles.selinux
GitHub repository
88 stelle
51 fork
2 problemi aperti
Licenza
gpl-3.0
Download
153.5k
Proprietario