Ansible SELinux: Manage Modes, Booleans & Contexts (Complete Guide)
By Luca Berton · Published 2024-01-01 · Category: installation
How to automate the enabling or disabling of SELinux Permissive policy per single process or domain keeping the whole system under enforcing policy and make it.

SELinux Permissive Domain
What is SELinux?
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).What is SELinux Permissive Domain?
SELinux Permissive Domains allow an administrator to configure a single process (domain) to run permissive, rather than making the whole system permissive.See also: Ansible seboolean Module: Enable & Disable SELinux Booleans (Guide)
Ansible Enable or Disable Permissive Domain in SELinux policy
community.general.selinux_permissive- Change permissive domain in SELinux policy
selinux_permissive.
The full name is community.general.selinux_permissive, which means that is part of the collection of modules to community-supported for Ansible.
It supports a huge variety of Linux distributions and it changes the permissive domain in SELinux policy.
It requires the policycoreutils-python package installed on the target system for semanage utility.
Parameters
- domain (name) string - the name of the domain
- permissive boolean - no/yes
- no_reload boolean - no/yes
See also: Ansible SELinux Module: Set Policy, State & Mode on Linux (Guide)
Links
- https://docs.ansible.com/ansible/latest/collections/community/general/selinux_permissive_module.html
- https://selinuxproject.org/page/PermissiveDomainRecipe
- https://www.redhat.com/sysadmin/semanage-keep-selinux-enforcing
## Playbook
Enable or Disable Permissive Domain in SELinux policy on Linux with Ansible Playbook.
code
---
- name: selinux_permissive module Playbook
hosts: all
become: true
tasks:
- name: semanage present
ansible.builtin.package:
name: "policycoreutils-python-utils"
state: present
- name: Change the httpd_t domain to permissive
community.general.selinux_permissive:
name: httpd_t
permissive: true
execution
$ ansible-playbook -i virtualmachines/demo/inventory selinux/selinux_permissivedomain.yml
PLAY [selinux_permissive module Playbook] *************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [semanage present] ***************************************************************************
changed: [demo.example.com]
TASK [Change the httpd_t domain to permissive] ****************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
ansible-pilot $
idempotency
$ ansible-playbook -i virtualmachines/demo/inventory selinux/selinux_permissivedomain.yml
PLAY [selinux_permissive module Playbook] *************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [semanage present] ***************************************************************************
ok: [demo.example.com]
TASK [Change the httpd_t domain to permissive] ****************************************************
ok: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
ansible-pilot $
before execution
$ ssh devops@demo.example.com
[devops@demo ~]$ sudo su
[root@demo devops]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[root@demo devops]# semanage permissive -l
bash: semanage: command not found
[root@demo devops]#
after execution
$ ssh devops@demo.example.com
[devops@demo ~]$ sudo su
[root@demo devops]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[root@demo devops]# semanage permissive -l
Builtin Permissive Types
Customized Permissive Types
httpd_t
[root@demo devops]# reboot
Connection to demo.example.com closed by remote host.
Connection to demo.example.com closed.
ansible-pilot $ ssh devops@demo.example.com
[devops@demo ~]$ sudo su
[root@demo devops]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[root@demo devops]# semanage permissive -l
Builtin Permissive Types
Customized Permissive Types
httpd_t
[root@demo devops]#
Conclusion
Now you know how to Enable or Disable a Permissive Domain in the SELinux policy on Linux with Ansible.
See also: Ansible code in RHSB-2021-009 Log4Shell - Remote Code Execution - log4j (CVE-2021-44228)
Related Articles
Category: installation
Watch the video: Ansible SELinux: Manage Modes, Booleans & Contexts (Complete Guide) — Video Tutorial