- "Do I Know This Already?" Quiz
- Using Modules to Manipulate Files
- Managing SELinux Properties
- Using Jinja2 Templates
- Summary
- Exam Preparation Tasks
- Review All Key Topics
- Memory Tables
- Define Key Terms
- Review Questions
- Exercise Answers
- Lab 8-1: Generate an /etc/hosts File
- Lab 8-2: Manage a vsftpd Service
This chapter is from the book
This chapter is from the book
This chapter is from the book
Managing SELinux Properties
In the security of any Linux system, SELinux is an important component. SELinux can be used on files to manage file context; apart from that, context can be set on ports; and SELinux properties can be managed using Booleans. Ansible has a few modules that allow for making changes to the SELinux configuration, which are listed in Table 8-3.
Table 8-3 Modules for Managing Changes on SELinux
Module |
Use |
|---|---|
file |
Manages context on files but not in the SELinux policy |
sefcontext |
Manages file context in the SELinux policy |
command |
Is required to run the restorecon command after using sefcontext |
selinux |
Manages current SELinux state |
seboolean |
Manages SELinux Booleans |
Managing SELinux File Context
The essential thing to understand when working with SELinux to secure files is that the context type that is set on the file defines which processes can work with the files. The file context type can be set on a file directly, or it can be set on the SELinux policy.
When you’re working with SELinux, all of its properties should be set in the SELinux policy. To do this, you use the Ansible sefcontext module. Setting a context type in the policy doesn’t automatically apply it to files though. You still need to run the Linux restorecon command to do this. Ansible does not offer a module to run this command; it needs to be invoked using the command module.
As an alternative, you can use the file module to set SELinux context. The disadvantage of this approach is that the context is set directly on the file, not in the SELinux policy. As a result, if at any time default context is applied from the policy to the file system, all context that has been set with the Ansible file module risks being overwritten. For that reason, the recommended way to manage SELinux context in Ansible is to use the sefcontext module.
To be able to work with the Ansible sefcontext module and the Linux restorecon command, you also need to make sure that the appropriate software is installed on Linux. This software comes from the policycoreutils-python-utils RPM package, which is not installed by default in all installation patterns.
Listing 8-11 shows a sample playbook that uses this module to manage SELinux context type.
Listing 8-11 Managing SELinux Context with sefcontext
---
- name: show selinux
hosts: all
tasks:
- name: install required packages
yum:
name: policycoreutils-python-utils
state: present
- name: create testfile
file:
name: /tmp/selinux
state: touch
- name: set selinux context
sefcontext:
target: /tmp/selinux
setype: httpd_sys_content_t
state: present
notify:
- run restorecon
handlers:
- name: run restorecon
command: restorecon -v /tmp/selinux
In the sample playbook in Listing 8-11, the required software package is installed first. Next, a test file is created using the file module; then in the next task the sefcontext command is used to write the new context to the policy. If executed successfully, this task will trigger a handler to run the Linux restorecon command by using the command module.
Don’t forget: A handler will run only if the task that triggers it generates a changed status. If the current state already matches the desired state, no changes are applied and the handler won’t run!
Applying Generic SELinux Management Tasks
Some additional SELinux related modules are available as well. The selinux module enables you to set the current state of SELinux to either permissive, enforcing, or disabled. The seboolean module enables you to easily enable or disable functionality in SELinux using Booleans. Listing 8-12 shows an example of a playbook that uses both of these modules.
Listing 8-12 Changing SELinux State and Booleans
---
- name: enabling SELinux and a boolean
hosts: ansible1
vars:
myboolean: httpd_read_user_content
tasks:
- name: enabling SELinux
selinux:
policy: targeted
state: enforcing
- name: checking current {{ myboolean }} Boolean status
shell: getsebool -a | grep {{ myboolean }}
register: bool_stat
- name: showing boolean status
debug:
msg: the current {{ myboolean }} status is {{ bool_stat.stdout }}
- name: enabling boolean
seboolean:
name: "{{ myboolean }}"
state: yes
persistent: yes
In the sample playbook in Listing 8-12, to start with, the selinux module is used to ensure that SELinux is in the enforcing state. When using this module, you also have to specify the name of the policy, which in most cases is the targeted policy.
Next, the seboolean module is used to enable a Boolean. As you can see, this Boolean is defined as the variable myboolean. Before the Boolean is enabled, the shell and debug modules are used to show its current status. In Exercise 8-2 you practice working with SELinux.
