Set the SELinux Policy States and Modes on Linux - Ansible module selinux

How to automate the setting and verification of the "enforcing" SELinux mode and state with "targeted" policy and relabel the filesystem if necessary on Linux target with Ansible.

How to Set the SELinux Policy States and Modes on Linux with Ansible?

I'm going to show you a live Playbook with some simple Ansible code.

I'm Luca Berton and welcome to today's episode of Ansible Pilot.

SELinux Modes and States

enforcing - enabled, load security policy "targeted" and active

permissive - enabled, load security policy, log, don't deny

disabled - disabled, not load security policy

What is SELinux?

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

Let's quickly Conclusion the three SELinux Modes: enforcing, permissive and disabled.

The "enforce" mode is recommended, SELinux is enabled and fully operates. It applies the security policy to the entire system.

Please note that in this mode SELinux is expected to deny some actions that don't complain about the security policy. You could choose the name of the security policy, most distributions use the "targeted" security policy out-of-the-box. It's the recommended option for production systems.

The "permissive" mode is someway in the middle, SELinux is enabled and load the security policy. It labels objects and emits access denial entries in the logs, but it does not actually deny any operations. This mode is useful in the development and debugging.

The "disabled" mode completely disables the SELinux system. This option is discouraged.

More advanced user ser set the system running in enforcing mode but individual domain as permissive.

Ansible set the SELinux Policy States and Modes on Linux

ansible.posix.selinux

Change policy and the state of SELinux

Today we're talking about Ansible module selinux.

The full name is ansible.posix.selinux, which means that is part of the collection of modules to interact with POSIX systems.

It's a module pretty stable and out for years, it manages SELinux policy.

It supports a huge variety of Linux distributions and POSIX systems.

It requires libselinux-python or libselinux-python3 library installed on the target system.

Parameters

state string - enforcing/permissive/disabled - SELinux mode

policy - "targeted"

configfile string - "/etc/selinux/config"

Let's see the parameter of the selinux Ansible module.

The only required is "state", which is the SELinux mode.

For this parameter the three options are available: "enforcing", "permissive", and "disabled".

When the system is in "enforcing" and "permissive" modes you need to specify also the policy to enable it.

The parameter "policy" is designed for this purpose. For example "targeted" policy.

By default, all these values apply to the SELinux configuration file saved in the "/etc/selinux/config". You could customize using the "configfile" parameter.