README.md

Ansible Role jm1.cloudy.selinux

This role helps with managing SELinux from Ansible variables. For example, it allows to toggle SELinux booleans and change the SELinux policy and state. Role variable selinux_config defines a list of tasks which will be run by this role. Each task calls an Ansible module similar to tasks in roles or playbooks except that only few keywords such as when are supported. For example, to put SELinux in permissive mode so that actions will be logged instead of being blocked, define variable selinux_config in group_vars or host_vars as such:

selinux_config:
- # Put SELinux in permissive mode, logging actions that would otherwise be blocked
  ansible.posix.selinux:
    policy: targeted
    state: permissive

⚠️ WARNING: On systems without SELinux such as Debian or Ubuntu, packages for SELinux have to be installed first, e.g. refer to the SELinux pages on the Debian Wiki or Ubuntu Wiki. This role will not install SELinux because presumably additional configuration is required to configure SELinux on such systems. :warning:

When this role is executed, it will run all tasks listed in selinux_config.

Tested OS images

• Cloud image (amd64) of Debian 10 (Buster)
• Cloud image (amd64) of Debian 11 (Bullseye)
• Cloud image (amd64) of Debian 12 (Bookworm)
• Cloud image (amd64) of Debian 13 (Trixie)
• Cloud image (amd64) of CentOS 7 (Core)
• Cloud image (amd64) of CentOS 8 (Stream)
• Cloud image (amd64) of CentOS 9 (Stream)
• Cloud image (amd64) of Fedora Cloud Base 40
• Cloud image (amd64) of Ubuntu 18.04 LTS (Bionic Beaver)
• Cloud image (amd64) of Ubuntu 20.04 LTS (Focal Fossa)
• Cloud image (amd64) of Ubuntu 22.04 LTS (Jammy Jellyfish)
• Cloud image (amd64) of Ubuntu 24.04 LTS (Noble Numbat)

Available on Ansible Galaxy in Collection jm1.cloudy.

Requirements

This role uses module(s) from collection jm1.ansible. To install this collection you may follow the steps described in README.md using the provided requirements.yml.

Variables

Name	Default value	Required	Description
selinux_config	[]	false	List of tasks to run 1 2 3, e.g. to toggle SELinux booleans or change SELinux policy and state

Dependencies

None.

Example Playbook

- hosts: all
  become: true
  vars:
    # Variables are listed here for convenience and illustration.
    # In a production setup, variables would be defined e.g. in
    # group_vars and/or host_vars of an Ansible inventory.
    # Ref.:
    # https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html
    # https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html
    selinux_config:
    - # Put SELinux in permissive mode, logging actions that would otherwise be blocked
      ansible.posix.selinux:
        policy: targeted
        state: permissive
  roles:
  - name: Manage SELinux booleans, policy and state
    role: jm1.cloudy.selinux
    tags: ["jm1.cloudy.selinux"]

For instructions on how to run Ansible playbooks have look at Ansible's Getting Started Guide.

License

GNU General Public License v3.0 or later

See LICENSE.md to see the full text.

Author

Jakob Meng @jm1 (github, galaxy, web)

Footnotes

1. Useful Ansible modules in this context could be seboolean and selinux. ↩

2. Tasks will be executed with jm1.ansible.execute_module which supports keyword when only. ↩

3. Tasks will be executed with jm1.ansible.execute_module which supports modules and action plugins only. Some Ansible modules such as ansible.builtin.meta and ansible.builtin.{include,import}_{playbook,role,tasks} are core features of Ansible, in fact not implemented as modules and thus cannot be called from jm1.ansible.execute_module. Doing so causes Ansible to raise errors such as MODULE FAILURE\nSee stdout/stderr for the exact error. In addition, Ansible does not support free-form parameters for arbitrary modules, so for example, change from - debug: msg="" to - debug: { msg: "" }. ↩