Loading...

Watch: Enable or Disable SELinux Boolean on Linux - Ansible module seboolean

How to automate the enabling of the "httpd_use_nfs" SELinux boolean and make it persistent after a reboot on Linux with Ansible.

How to Enable or Disable SELinux Boolean on Linux with Ansible?

I'm going to show you a live Playbook with some simple Ansible code.

I'm Luca Berton and welcome to today's episode of Ansible Pilot.

SELinux Booleans

  • SELinux boolean - changes how SELinux reacts

What is SELinux?

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

What are SELinux Booleans?

An SELinux boolean is a single string that changes how SELinux reacts.

You could find some examples in the following URL: https://www.redhat.com/sysadmin/change-selinux-settings-boolean

Ansible Enable or Disable SELinux Boolean on Linux

  • ansible.posix.seboolean
  • Toggles SELinux booleans

Today we're talking about Ansible module seboolean.

The full name is ansible.posix.seboolean, which means that is part of the collection of modules to interact with POSIX systems.

It's a module pretty stable and out for years, it toggles SELinux booleans.

It supports a huge variety of Linux distributions and POSIX systems.

It requires the python3-libsemanage or libsemanage-python package installed on the target system.

Parameters

  • name string - The name of the boolean
  • state boolean - no/yes
  • persistent boolean - no/yes
  • ignore_selinux_state boolean - no/yes

Let's see the parameter of the seboolean Ansible module.

The only mandatory parameters are "name" and "state".

The parameter "name" specifies the name of the SELinux boolean that we would like to modify.

The parameter "state" allows you to enable or disable the SELinux boolean immediately in the running system.

The parameter "persistent" allows you to specify if the state change is going to be applied to the next boot.

The special parameter "ignore_selinux_state" is useful for scenarios (chrooted environment) where you can't get the current SELinux state.

Links

  • https://linux.die.net/man/8/apache_selinux
  • https://www.redhat.com/sysadmin/change-selinux-settings-boolean
  • https://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#adjusting-the-policy-for-sharing-nfs-and-cifs-volumes-using-selinux-booleans_configuring-selinux-for-applications-and-services-with-non-standard-configurations

## Playbook

Enable or Disable SELinux Boolean on Linux with Ansible Playbook.

code

Read the full tutorial: Enable or Disable SELinux Boolean on Linux - Ansible module seboolean