SELinux

CI Testing

Expected functionality

Essentially provide mechanisms to manage local customizations:

Available modules in Ansible

selinux: Configures the
SELinux mode and policy.

seboolean: Toggles SELinux booleans.

sefcontext: Manages
SELinux file context mapping definitions similar to the semanage fcontext
command.

seport: Manages SELinux
network port type definitions.

Requirements

See meta/requirements.yml for the requirements. You must install the
requirements before using this role:

ansible-galaxy collection install -vv -r meta/requirements.yml

See
https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#using-meta-requirements-yml
for more information.

Modules provided by this repository

Usage

The general usage is demonstrated in selinux-playbook.yml playbook.

selinux role

This role can be configured using variables as it is described below.

vars:
  [ see below ]
roles:
  - role: fedora.linux_system_roles.selinux
    become: true

purge local modifications

By default, the modifications specified in selinux_booleans, selinux_fcontexts,
selinux_ports and selinux_logins are applied on top of pre-existing modifications.
To purge local modifications prior to setting new ones, set following variables to true:

You can purge all modifications by using shorthand:

selinux_all_purge: true

set SELinux policy type and mode

selinux_policy: targeted
selinux_state: enforcing

Allowed values for selinux_state are disabled, enforcing and permissive.

If selinux_state is not set, the SELinux state is not changed.
If selinux_policy is not set and SELinux is to be enabled, it defaults to targeted.
If SELinux is already enabled, the policy is not changed.

set SELinux booleans

selinux_booleans:
  - { name: 'samba_enable_home_dirs', state: 'on' }
  - { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }

Set SELinux file contexts

selinux_fcontexts:
  - { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd', state: 'present' }

Individual modifications can be dropped by setting state to absent.

Set SELinux ports

selinux_ports:
  - { ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present' }

run restorecon on filesystem trees

selinux_restore_dirs:
  - /tmp/test_dir

Set linux user to SELinux user mapping

    selinux_logins:
      - { login: 'plautrba', seuser: 'staff_u', state: 'absent' }
      - { login: '__default__', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }

Manage SELinux modules

It is possible to maintain SELinux modules using selinux_modules variable which would contain a list of dictionaries, e.g.:

    selinux_modules:
      - { path: 'localmodule.pp', state: 'enabled' }
      - { path: 'localmodule.cil', priority: '350', state: 'enabled' }
      - { name: 'unconfineduser', state: 'disabled' }
      - { name: 'localmodule', priority: '350', state: 'absent' }

Note: Building modules from source on nodes is not supported.
However, in many cases a binary pp or cil module could be used on different systems if all systems support
types, classes and permissions used in the module.
In case of pp module it also needs to be built with the lowest supported policydb module version on target systems,
i.e. on the oldest system.

Note: Module priorities are ignored in Red Hat Enterprise Linux 6

Ansible Facts

selinux_reboot_required

This custom fact is set to true if system reboot is necessary when SELinux is set from disabled to enabled or vice versa. Otherwise the fact is set to false. In the case that system reboot is needed, it will be indicated by returning failure from the role which needs to be handled using a block:rescue: construct. The reboot needs to be performed in the playbook, the role itself never reboots the managed host. After the reboot the role needs to be reapplied to finish the changes.

selinux_installed_modules

This custom fact represents SELinux module store structure

selinux_installed_modules = {
  <module name>: {
    <module priority>: ("enabled"|"disabled"),
    ...
  },
  ...
}

e.g.

"ansible_facts": {
  "selinux_installed_modules": {
    "abrt": {
      "100": "enabled",
      "400": "disabled"
    },
    "accountsd": {
      "100": "enabled"
    },
    "acct": {
      "100": "enabled"
    }
  }
}

NOTE: Module priority is set to “0” when priorities are not supported, e.g. on Red Hat Enterprise Linux 6