Ansible Role selinux

This role

sets the state of SELinux using setenforce
toggles SELinux booleans using setsebool
sets SELinux file contexts using semanage fcontext. It does NOT automatically apply them using restorecon - have a look at selinux__restorecons__*_var
manages SELinux ports using semanage port
applies SELinux contexts to files using restorecon
compiles and installs custom SELinux policy modules from source (.te, .fc, .if files). Note: Module installation is not idempotent - modules with state: present will always be compiled and installed on each run

Mandatory Requirements

Install the SELinux python bindings. This can be done using the linuxfabrik.lfops.policycoreutils role.

Tags

Tag	What it does	Reload / Restart
`selinux`	* `setenforce ...` * `setsebool -P ...` * `semanage fcontext --add --type ...` * `restorecon ...` * `semodule -i ...`	-
`selinux:fcontext`	* `semanage fcontext --add --type ...`	-
`selinux:modules`	* `semodule -i ...` * `semodule -r ...`	-
`selinux:port`	* `semanage port --add --type ... --proto ...`	-
`selinux:restorecon`	* `restorecon ...`	-
`selinux:setenforce`	* `setenforce ...`	-
`selinux:setsebool`	* `setsebool -P ...`	-

Optional Role Variables

Variable	Description	Default Value
`selinux__booleans__host_var` / `selinux__booleans__group_var`	A list of dictionaries containing SELinux booleans to set persistently. Subkeys: * `key`: Mandatory, string. Key of the SELinux boolean. * `value`: Mandatory, string. Value of the SELinux boolean. For the usage in `host_vars` / `group_vars` (can only be used in one group at a time).	`[]`
`selinux__fcontexts__host_var` / `selinux__fcontexts__group_var`	A list of dictionaries containing SELinux file contexts. Subkeys: * `setype`: Mandatory, string. SELinux file type. * `target`: Mandatory, string. The FILE_SPEC which maps file paths using regular expressions to SELinux labels. Either a fully qualified path, or a Perl compatible regular expression (PCRE). * `state`: Optional, string. Whether the SELinux file context must be `absent` or `present`. Defaults to `'present'`.	`[]`
`selinux__modules__host_var` / `selinux__modules__group_var`	A list of dictionaries containing custom SELinux policy modules to compile and install. Subkeys: `name`: Mandatory, string. Name of the SELinux module. `src`: Mandatory, string. Path to directory containing module source files. The directory must contain a `.te` file with the same basename as the module name. Optional `.fc` (file context) and `.if` (interface) files will be included if present. `state`: Optional, string. Whether the module must be `absent` or `present`. Defaults to `'present'`. For the usage in `host_vars` / `group_vars` (can only be used in one group at a time). Note: Modules with `state: present` will always be compiled and installed on each run to ensure they stay up-to-date with source changes.	`[]`
`selinux__policy`	The name of the SELinux policy to use.	`'targeted'`
`selinux__ports__host_var` / `selinux__ports__group_var`	A list of dictionaries containing SELinux ports. Subkeys: `setype`: Mandatory, string. SELinux port type. `port`: Mandatory, string. Port or port range. `proto`: Optional, string. Protocol for the specified port (range). Defaults to `'tcp'`. `state`: Optional, string. Whether the SELinux port must be `absent` or `present`. Defaults to `'present'`.	`[]`
`selinux__restorecons__host_var` / `selinux__restorecons__group_var`	A list of dictionaries containing paths to run `restorecon` on. Subkeys: `path`: Mandatory, string. Path to restore SELinux context on. `force`: Optional, boolean. If `true`, forces complete context replacement (`-F` flag). Defaults to `true`. `recursive`: Optional, boolean. If `true`, recursively restores contexts in directories (`-r` flag). Defaults to `true`. `state`: Optional, string. Whether restorecon should be run (`present`) or skipped (`absent`). Defaults to `'present'`. For the usage in `host_vars` / `group_vars` (can only be used in one group at a time).	`[]`
`selinux__state`	The SELinux state. Possible options: * `disabled` * `enforcing` * `permissive`	`'enforcing'`

Example:

# optional
selinux__booleans__host_var:
  - key: 'httpd_can_network_connect_db'
    value: 'on'
  - key: 'httpd_can_sendmail'
    value: 'on'
  - key: 'httpd_execmem'
    value: 'on'
  - key: 'httpd_use_nfs'
    value: 'on'
selinux__fcontexts__host_var:
  - setype: 'httpd_sys_rw_content_t'
    target: '/data(/.*)?'
    state: 'present'
  - setype: 'httpd_sys_rw_content_t'
    target: '/var/www/html/nextcloud/.htaccess'
    state: 'present'
selinux__modules__host_var:
  - name: 'myapp_policy'
    src: '{{ inventory_dir }}/host_files/selinux/myapp_policy' # directory containing myapp_policy.te, myapp_policy.fc, myapp_policy.if
    state: 'present'
  - name: 'custom_httpd'
    src: '{{ inventory_dir }}/host_files/selinux/custom_httpd'
  - name: 'old_module'
    state: 'absent'
selinux__policy: 'default'
selinux__ports__host_var:
  - setype: 'http_port_t'
    port: '8070-8080'
  - setype: 'ssh_port_t'
    port: 22
selinux__restorecons__host_var:
  - path: '/data'
  - path: '/var/www/html/nextcloud'
  - path: '/opt/app/file.txt'
    recursive: false  # only restore this specific file, not recursively
  - path: '/tmp/test'
    force: false  # only update the type portion of the context
  - path: '/old/legacy/path'
    state: 'absent'  # skip this path
selinux__state: 'enforcing'

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich