Enable or Disable Permissive Domain in SELinux policy on Linux - Ansible module selinux_permissive
How to automate the enabling or disabling of SELinux Permissive policy per single process or domain keeping the whole system under enforcing policy and make it persistent after a reboot on Linux with Ansible.
SELinux Permissive Domain
What is SELinux?
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
What is SELinux Permissive Domain?
SELinux Permissive Domains allow an administrator to configure a single process (domain) to run permissive, rather than making the whole system permissive.
Ansible Enable or Disable Permissive Domain in SELinux policy
community.general.selinux_permissive- Change permissive domain in SELinux policy
Today we’re talking about Ansible module selinux_permissive.
The full name is community.general.selinux_permissive, which means that is part of the collection of modules to community-supported for Ansible.
It supports a huge variety of Linux distributions and it changes the permissive domain in SELinux policy.
It requires the policycoreutils-python package installed on the target system for semanage utility.
Parameters
- domain (name) string - the name of the domain
- permissive boolean - no/yes
- no_reload boolean - no/yes
Let’s see the parameter of the selinux_permissive Ansible module. The only mandatory parameters are “domain” and “permissive”. The parameter “domain” or alias “name” specifies the name of the SELinux domain that we would add to the list of permissive domains. The parameter “permissive” allows you to enable or disable the SELinux permissive domain immediately in the running system. The parameter “no_reload” disables the policy reloading after a change of the setting. Default is “no”, which causes the reloading of the policy.
Links
- https://docs.ansible.com/ansible/latest/collections/community/general/selinux_permissive_module.html
- https://selinuxproject.org/page/PermissiveDomainRecipe
- https://www.redhat.com/sysadmin/semanage-keep-selinux-enforcing
The Best Resources For Ansible
Certifications
CYBER DEALS at The Linux Foundation! Up to 65% off, and a FREE GIFT with EVERY PURCHASE! Limited Time, Don't Delay!Video Course
Printed Book
Ansible For VMware by Examples
Ansible for Kubernetes by Example
Hands-on Ansible AutomationeBooks
Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios
demo
Enable or Disable Permissive Domain in SELinux policy on Linux with Ansible Playbook.
code
---
- name: selinux_permissive module demo
hosts: all
become: true
tasks:
- name: semanage present
ansible.builtin.package:
name: "policycoreutils-python-utils"
state: present
- name: Change the httpd_t domain to permissive
community.general.selinux_permissive:
name: httpd_t
permissive: true
execution
$ ansible-playbook -i virtualmachines/demo/inventory selinux/selinux_permissivedomain.yml
PLAY [selinux_permissive module demo] *************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [semanage present] ***************************************************************************
changed: [demo.example.com]
TASK [Change the httpd_t domain to permissive] ****************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
ansible-pilot $
idempotency
$ ansible-playbook -i virtualmachines/demo/inventory selinux/selinux_permissivedomain.yml
PLAY [selinux_permissive module demo] *************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [semanage present] ***************************************************************************
ok: [demo.example.com]
TASK [Change the httpd_t domain to permissive] ****************************************************
ok: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
ansible-pilot $
before execution
$ ssh [email protected]
[devops@demo ~]$ sudo su
[root@demo devops]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[root@demo devops]# semanage permissive -l
bash: semanage: command not found
[root@demo devops]#
after execution
$ ssh [email protected]
[devops@demo ~]$ sudo su
[root@demo devops]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[root@demo devops]# semanage permissive -l
Builtin Permissive Types
Customized Permissive Types
httpd_t
[root@demo devops]# reboot
Connection to demo.example.com closed by remote host.
Connection to demo.example.com closed.
ansible-pilot $ ssh [email protected]
[devops@demo ~]$ sudo su
[root@demo devops]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
[root@demo devops]# semanage permissive -l
Builtin Permissive Types
Customized Permissive Types
httpd_t
[root@demo devops]#
Recap
Now you know how to Enable or Disable a Permissive Domain in the SELinux policy on Linux with Ansible. Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.
Academy
Learn the Ansible automation technology with some real-life examples in my
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Donate
Want to keep this project going? Please donate
