Enable or Disable Permissive Domain in SELinux policy on Linux - Ansible module selinux_permissive

How to automate the enabling or disabling of SELinux Permissive policy per single process or domain keeping the whole system under enforcing policy and make it persistent after a reboot on Linux with Ansible.

SELinux Permissive Domain

What is SELinux?

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

What is SELinux Permissive Domain?

SELinux Permissive Domains allow an administrator to configure a single process (domain) to run permissive, rather than making the whole system permissive.

Ansible Enable or Disable Permissive Domain in SELinux policy

community.general.selinux_permissive

Change permissive domain in SELinux policy

Today we're talking about Ansible module selinux_permissive.

The full name is community.general.selinux_permissive, which means that is part of the collection of modules to community-supported for Ansible.

It supports a huge variety of Linux distributions and it changes the permissive domain in SELinux policy.

It requires the policycoreutils-python package installed on the target system for semanage utility.

Parameters

domain (name) string - the name of the domain

permissive boolean - no/yes

no_reload boolean - no/yes

Let's see the parameter of the selinux_permissive Ansible module.

The only mandatory parameters are "domain" and "permissive".

The parameter "domain" or alias "name" specifies the name of the SELinux domain that we would add to the list of permissive domains.

The parameter "permissive" allows you to enable or disable the SELinux permissive domain immediately in the running system.

The parameter "no_reload" disables the policy reloading after a change of the setting. Default is "no", which causes the reloading of the policy.

Links

https://docs.ansible.com/ansible/latest/collections/community/general/selinux_permissive_module.html

https://selinuxproject.org/page/PermissiveDomainRecipe

https://www.redhat.com/sysadmin/semanage-keep-selinux-enforcing

## Playbook

Enable or Disable Permissive Domain in SELinux policy on Linux with Ansible Playbook.

code

``yaml


---
name: selinux_permissive module Playbook
  hosts: all
  become: true
  tasks:
    - name: semanage present
      ansible.builtin.package:
        name: "policycoreutils-python-utils"
        state: present
    - name: Change the httpd_t domain to permissive
      community.general.selinux_permissive:
        name: httpd_t
        permissive: true



execution

``bash

$ ansible-playbook -i virtualmachines/demo/inventory selinux/selinux_permissivedomain.yml

PLAY [selinux_permissive module Playbook] *

TASK [Gathering Facts]

ok: [demo.example.com]

TASK [semanage present] *

changed: [demo.example.com]

TASK [Change the httpd_t domain to permissive] **

changed: [demo.example.com]

PLAY RECAP