SELinux

Expected functionality

Essentially provide mechanisms to manage local customizations:

Note: If you want to manage SELinux customizations in disabled mode, you need SELinux targeted policy installed.

Requirements

See below

Collection requirements

The role requires external collections. Use the following command to install them:

ansible-galaxy collection install -vv -r meta/collection-requirements.yml

Modules provided by this repository

selinux_modules_facts

Gather state of SELinux modules

Role Variables

purge local modifications

By default, the modifications specified in selinux_booleans, selinux_fcontexts, selinux_ports and selinux_logins are applied on top of pre-existing modifications. To purge local modifications prior to setting new ones, set following variables to true:

You can purge all modifications by using selinux_all_purge: true:

selinux_all_purge: true

selinux_policy, selinux_state

Manage the SELinux policy type and mode.

selinux_policy: targeted
selinux_state: enforcing

Allowed values for selinux_state are disabled, enforcing and permissive.

If selinux_state is not set, the SELinux state is not changed. If selinux_policy is not set and SELinux is to be enabled, it defaults to targeted. If SELinux is already enabled, the policy is not changed.

This uses the selinux module to manage the SELinux mode and policy.

selinux_booleans

Manage the state of SELinux booleans. This is a list of dict, where each dict is in the same format as used by the seboolean module.

selinux_booleans:
  - name: samba_enable_home_dirs
    state: true
  - name: ssh_sysadm_login
    state: true
    persistent: true

selinux_fcontexts

Manage the state of SELinux file context mapping definitions. This is a list of dict, where each dict is in the same format as used by the sefcontext module.

selinux_fcontexts:
  - target: '/tmp/test_dir(/.*)?'
    setype: 'user_home_dir_t'
    ftype: d
    state: present

Users may also pass the following optional parameters:

Individual modifications can be dropped by setting state to absent.

selinux_ports

Manage the state of SELinux port policy. This is a list of dict, where each dict is in the same format as used by the seport module.

selinux_ports:
  - ports: 22100
    proto: tcp
    setype: ssh_port_t
    state: present
    local: true

selinux_restore_dirs

This is a list of strings, where each string is a filesystem tree where you want to run restorecon:

selinux_restore_dirs:
  - /tmp/test_dir

selinux_logins

Manage the linux user to SELinux user mapping. This is a list of dict, where each dict is in the same format as used by the selogin module.

selinux_logins:
  - login: plautrba
    seuser: staff_u
    state: absent
  - login: default
    seuser: staff_u
    serange: s0-s0:c0.c1023
    state: present

selinux_modules

It is possible to manage SELinux modules using selinux_modules variable which would contain a list of dict, e.g.:

selinux_modules:
  - path: localmodule.pp
    state: enabled
  - path: localmodule.cil
    priority: 350
    state: enabled
  - name: unconfineduser
    state: disabled
  - name: localmodule
    priority: 350
    state: absent

Note: Building modules from source on nodes is not supported. However, in many cases a binary pp or cil module could be used on different systems if all systems support types, classes and permissions used in the module. In case of pp module it also needs to be built with the lowest supported policydb module version on target systems, i.e. on the oldest system.

Note: Module priorities are ignored in Red Hat Enterprise Linux 6

Note: Managing modules is idempotent only on Fedora, and EL 8.6 and later. You can manage modules on older releases, but it will not be idempotent.

selinux_transactional_update_reboot_ok

This variable is used to handle reboots required by transactional updates. If a transactional update requires a reboot, the role will proceed with the reboot if selinux_transactional_update_reboot_ok is set to true. If set to false, the role will notify the user that a reboot is required, allowing for custom handling of the reboot requirement. If this variable is not set, the role will fail to ensure the reboot requirement is not overlooked.

selinux_transactional_update_reboot_ok: true

Ansible Facts

selinux_reboot_required

This custom fact is set to true if system reboot is necessary when SELinux is set from disabled to enabled or vice versa. Otherwise the fact is set to false. In the case that system reboot is needed, it will be indicated by returning failure from the role which needs to be handled using a block:...rescue: construct. The reboot needs to be performed in the playbook, the role itself never reboots the managed host. After the reboot the role needs to be reapplied to finish the changes.

selinux_installed_modules

This custom fact represents SELinux module store structure

"selinux_installed_modules": {
  <module name>: {
    <module priority>: ("enabled"|"disabled"),
    ...
  },
  ...
}

e.g.

"ansible_facts": {
  "selinux_installed_modules": {
    "abrt": {
      "100": "enabled",
      "400": "disabled"
    },
    "accountsd": {
      "100": "enabled"
    },
    "acct": {
      "100": "enabled"
    }
  }
}

NOTE: Module priority is set to "0" when priorities are not supported, e.g. on Red Hat Enterprise Linux 6

Examples

The general usage is demonstrated in selinux-playbook.yml playbook.

rpm-ostree

See README-ostree.md