How to Enable or Disable SELinux Boolean on Linux with Ansible? I'm going to show you a live Playbook with some simple Ansible code. I'm Luca Berton and welcome to today's episode of Ansible Pilot. SELinux Booleans - SELinux boolean - changes how SELinux reacts What is SELinux? Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). What are SELinux Booleans? An SELinux boolean is a single string that changes how SELinux reacts. You could find some examples in the following URL: https://www.redhat.com/sysadmin/change-selinux-settings-boolean Ansible Enable or Disable SELinux Boolean on Linux - ansible.posix.seboolean - Toggles SELinux booleans Today we're talking about Ansible module `seboolean`. The full name is `ansible.posix.seboolean`, which means that is part of the collection of modules to interact with POSIX systems. It's a module pretty stable and out for years, it toggles SELinux booleans. It supports a huge variety of Linux distributions and POSIX systems. It requires the `python3-libsemanage` or `libsemanage-python` package installed on the target system. Requirements The `seboolean` module ships in the `ansible.posix` collection. If it is not already available on your control node, install it with `ansible-galaxy`: ```bash ansible-galaxy collection install ansible.posix ``` On the managed node you also need the Python bindings for `libsemanage` so Ansible can read and write boolean state: - RHEL, CentOS, Fedora, AlmaLinux, Rocky Linux: `python3-libsemanage` - older Python 2 systems: `libsemanage-python` The playbook below installs that dependency first, so the same play works on a freshly provisioned host. Parameters - name string - The name of the boolean - state boolean - no/yes - persistent boolean - no/yes - ignore_selinux_state boolean - no/yes Let's see the parameter of the `seboolean` Ansible module. The only mandatory parameters are "name" and "state". The parameter "name" specifies the name of the SELinux boolean that we would like to modify. The parameter "state" allows you to enable or disable the SELinux boolean immediately in the running system. The parameter "persistent" allows you to specify if the state change is going to be applied to the next boot. The special parameter "ignore_selinux_state" is useful for scenarios (chrooted environment) where you can't get the current SELinux state. Links - https://linux.die.net/man/8/apache_selinux - https://www.redhat.com/sysadmin/change-selinux-settings-boolean - https://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#adjusting-the-policy-for-sharing-nfs-and-cifs-volumes-using-selinux-booleans_configuring-selinux-for-applications-and-services-with-non-standard-configurations ## Playbook Enable or Disable SELin