Ansible Role selinux¶
SELinux (Security-Enhanced Linux) is a kernel security module that implements Mandatory Access Control: every process and every file gets a security label, and a system-wide policy decides which transitions and accesses are allowed. This role exposes the user-facing knobs of an SELinux installation. It
sets the state of SELinux using
setenforcetoggles SELinux booleans using
setseboolsets SELinux file contexts using
semanage fcontext. It does NOT automatically apply them usingrestorecon- have a look atselinux__restorecons__*_varmanages SELinux ports using
semanage portapplies SELinux contexts to files using
restoreconcompiles and installs custom SELinux policy modules from source (.te, .fc, .if files). Note: Module installation is not idempotent - modules with
state: presentwill always be compiled and installed on each run
Available since LFOps 2.0.0.
Mandatory Requirements¶
Install the SELinux python bindings. This can be done using the linuxfabrik.lfops.policycoreutils role.
Optional Role Variables¶
selinux__booleans__host_var / selinux__booleans__group_var
A list of dictionaries containing SELinux booleans to set persistently.
For the usage in
host_vars/group_vars(can only be used in one group at a time).Type: List of dictionaries.
Default:
[]Subkeys:
key:Mandatory. Key of the SELinux boolean.
Type: String.
value:Mandatory. Value of the SELinux boolean.
Type: String.
selinux__fcontexts__host_var / selinux__fcontexts__group_var
A list of dictionaries containing SELinux file contexts.
For the usage in
host_vars/group_vars(can only be used in one group at a time).Type: List of dictionaries.
Default:
[]Subkeys:
setype:Mandatory. SELinux file type.
Type: String.
target:Mandatory. The FILE_SPEC which maps file paths using regular expressions to SELinux labels. Either a fully qualified path, or a Perl compatible regular expression (PCRE).
Type: String.
state:Optional. Whether the SELinux file context must be
absentorpresent.Type: String.
Default:
'present'
selinux__modules__host_var / selinux__modules__group_var
A list of dictionaries containing custom SELinux policy modules to compile and install.
For the usage in
host_vars/group_vars(can only be used in one group at a time). Note: Modules withstate: presentwill always be compiled and installed on each run to ensure they stay up-to-date with source changes.Type: List of dictionaries.
Default:
[]Subkeys:
name:Mandatory. Name of the SELinux module.
Type: String.
src:Mandatory. Path to directory containing module source files. The directory must contain a
.tefile with the same basename as the module name. Optional.fc(file context) and.if(interface) files will be included if present.Type: String.
state:Optional. Whether the module must be
absentorpresent.Type: String.
Default:
'present'
selinux__policy
The name of the SELinux policy to use.
Type: String.
Default:
'targeted'
selinux__ports__host_var / selinux__ports__group_var
A list of dictionaries containing SELinux ports.
For the usage in
host_vars/group_vars(can only be used in one group at a time).Type: List of dictionaries.
Default:
[]Subkeys:
setype:Mandatory. SELinux port type.
Type: String.
port:Mandatory. Port or port range.
Type: String.
proto:Optional. Protocol for the specified port (range).
Type: String.
Default:
'tcp'
state:Optional. Whether the SELinux port must be
absentorpresent.Type: String.
Default:
'present'
selinux__restorecons__host_var / selinux__restorecons__group_var
A list of dictionaries containing paths to run
restoreconon.For the usage in
host_vars/group_vars(can only be used in one group at a time).Type: List of dictionaries.
Default:
[]Subkeys:
path:Mandatory. Path to restore SELinux context on.
Type: String.
force:Optional. If
true, forces complete context replacement (-Fflag).Type: Bool.
Default:
true
recursive:Optional. If
true, recursively restores contexts in directories (-rflag).Type: Bool.
Default:
true
state:Optional. Whether restorecon should be run (
present) or skipped (absent).Type: String.
Default:
'present'
selinux__state
The SELinux state. Possible options:
disabled,enforcing,permissive.Type: String.
Default:
'enforcing'
Example:
# optional
selinux__booleans__host_var:
- key: 'httpd_can_network_connect_db'
value: 'on'
- key: 'httpd_can_sendmail'
value: 'on'
- key: 'httpd_execmem'
value: 'on'
- key: 'httpd_use_nfs'
value: 'on'
selinux__fcontexts__host_var:
- setype: 'httpd_sys_rw_content_t'
target: '/data(/.*)?'
state: 'present'
- setype: 'httpd_sys_rw_content_t'
target: '/var/www/html/nextcloud/.htaccess'
state: 'present'
selinux__modules__host_var:
- name: 'myapp_policy'
src: '{{ inventory_dir }}/host_files/selinux/myapp_policy' # directory containing myapp_policy.te, myapp_policy.fc, myapp_policy.if
state: 'present'
- name: 'custom_httpd'
src: '{{ inventory_dir }}/host_files/selinux/custom_httpd'
- name: 'old_module'
state: 'absent'
selinux__policy: 'default'
selinux__ports__host_var:
- setype: 'http_port_t'
port: '8070-8080'
- setype: 'ssh_port_t'
port: 22
selinux__restorecons__host_var:
- path: '/data'
- path: '/var/www/html/nextcloud'
- path: '/opt/app/file.txt'
recursive: false # only restore this specific file, not recursively
- path: '/tmp/test'
force: false # only update the type portion of the context
- path: '/old/legacy/path'
state: 'absent' # skip this path
selinux__state: 'enforcing'