Set the SELinux Policy States and Modes on Linux - Ansible module selinux

How to automate the setting and verification of the "enforcing" SELinux mode and state with "targeted" policy and relabel the filesystem if necessary on Linux target with Ansible.

December 16, 2021

How to Set the SELinux Policy States and Modes on Linux with Ansible?

I’m going to show you a live demo with some simple Ansible code. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

SELinux Modes and States

• enforcing - enabled, load security policy “targeted” and active
• permissive - enabled, load security policy, log, don’t deny
• disabled - disabled, not load security policy

What is SELinux?

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). Let’s quickly recap the three SELinux Modes: enforcing, permissive and disabled. The “enforce” mode is recommended, SELinux is enabled and fully operates. It applies the security policy to the entire system. Please note that in this mode SELinux is expected to deny some actions that don’t complain about the security policy. You could choose the name of the security policy, most distributions use the “targeted” security policy out-of-the-box. It’s the recommended option for production systems. The “permissive” mode is someway in the middle, SELinux is enabled and load the security policy. It labels objects and emits access denial entries in the logs, but it does not actually deny any operations. This mode is useful in the development and debugging. The “disabled” mode completely disables the SELinux system. This option is discouraged. More advanced user ser set the system running in enforcing mode but individual domain as permissive.

Ansible set the SELinux Policy States and Modes on Linux

• ansible.posix.selinux
• Change policy and the state of SELinux

Today we’re talking about Ansible module selinux. The full name is ansible.posix.selinux, which means that is part of the collection of modules to interact with POSIX systems. It’s a module pretty stable and out for years, it manages SELinux policy. It supports a huge variety of Linux distributions and POSIX systems. It requires libselinux-python or libselinux-python3 library installed on the target system.

Parameters

• state string - enforcing/permissive/disabled - SELinux mode
• policy - “targeted”
• configfile string - “/etc/selinux/config”

Let’s see the parameter of the selinux Ansible module. The only required is “state”, which is the SELinux mode. For this parameter the three options are available: “enforcing”, “permissive”, and “disabled”. When the system is in “enforcing” and “permissive” modes you need to specify also the policy to enable it. The parameter “policy” is designed for this purpose. For example “targeted” policy. By default, all these values apply to the SELinux configuration file saved in the “/etc/selinux/config”. You could customize using the “configfile” parameter.

Links

• https://docs.ansible.com/ansible/latest/collections/ansible/posix/selinux_module.html
• https://docs.fedoraproject.org/en-US/quick-docs/changing-selinux-states-and-modes/
• https://docs.ansible.com/ansible/latest/collections/community/general/selinux_permissive_module.html

The Best Resources For Ansible

Certifications

• The Linux Foundation Linux Performance Tuning - Build a broad toolkit to optimize Linux performance from the kernel up

• Coursera Pro - Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs—all included in your subscription

Video Course

• Udemy: Learn Ansible Automation in 250+examples & practical lessons: Learn Ansible with some real-life examples of how to use the most common modules and Ansible Playbook

Printed Book

• Ansible For VMware by Examples
  Buy on Amazon Buy on Apress
• Ansible for Kubernetes by Example
  Buy on Amazon Buy on Apress
• Hands-on Ansible Automation
  Buy on Amazon Buy on BPB
• Red Hat Ansible Automation Platform
  Buy on Amazon Buy on BPB

eBooks

• Buy on Leanpub Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
• Buy on Leanpub Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
• Buy on Leanpub Terraform By Example: A Practical Approach for Beginners to Learn Cloud Infrastructure with Terraform
• Buy on Leanpub Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
• Buy on Leanpub Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
• Buy on Leanpub Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
• Buy on Leanpub Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
• Buy on Leanpub Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
• Buy on Leanpub Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
• Buy on Leanpub Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
• Buy on Leanpub Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
• Buy on Leanpub Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios

demo

Set the SELinux Policy States and Modes on Linux with Ansible Playbook.

code

---
- name: selinux module demo
  hosts: all
  become: true
  vars:
    selinux_state: "enforcing"
    selinux_policy: "targeted"
  tasks:
    - name: SELinux policy and state
      ansible.posix.selinux:
        state: "{{ selinux_state }}"
        policy: "{{ selinux_policy }}"
      notify: relabel and reboot
  handlers:
    - name: relabel files on next boot
      ansible.builtin.file:
        path: "/.autorelabel"
        state: touch
      when:
        - selinux_state != 'disabled'
      listen: "relabel and reboot"
    - name: reboot host
      ansible.builtin.reboot:
      listen: "relabel and reboot"execution

execution

$ ansible-playbook -i virtualmachines/demo/inventory selinux/policy_modes.yml
PLAY [selinux module demo] ************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [SELinux policy and state] *******************************************************************
changed: [demo.example.com]
RUNNING HANDLER [relabel files on next boot] ******************************************************
changed: [demo.example.com]
RUNNING HANDLER [reboot host] *********************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

idempotency

$ ansible-playbook -i virtualmachines/demo/inventory selinux/policy_modes.yml
PLAY [selinux module demo] ************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [SELinux policy and state] *******************************************************************
ok: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

before execution

$ ssh [email protected]
[devops@demo ~]$ sudo su
[root@demo devops]# getenforce
Permissive
[root@demo devops]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[root@demo devops]#

after execution

$ ssh [email protected]
[devops@demo ~]$ sudo su
[root@demo devops]# getenforce 
Enforcing
[root@demo devops]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

code with ❤️ in GitHub

Recap

Now you know how to set the SELinux Policy States and Modes on Linux with Ansible. Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my 200+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

Donate

Want to keep this project going? Please donate

Patreon Buy me a Pizza