It's recommended to ensure that Security-Enhanced Linux (SELinux) is running in enforcing mode on all your systems. However, some people in your organization may set it to permissive mode (or worse, disabled) rather than troubleshooting and fixing issues. You must reset it back to enforcing mode and make sure that all hosts are similarly configured. Ansible is your solution.
[ You might also like: Accessing SELinux policy documentation ]
Use Ansible to set enforcing mode
The following playbook enables SELinux and uses the included targeted policy:
---
- hosts: all
tasks:
- name: Enable SELinux in enforcing mode
ansible.posix.selinux:
policy: targeted
state: enforcing
For this playbook to work, you must have the ansible-collection-ansible-posix package installed. You can install it using your package manager. For instance, on Fedora or Red Hat Enterprise Linux:
$ sudo dnf install ansible-collection-ansible-posix
Call this playbook selinux_enforcing.yml. The following cronjob from /etc/crontab runs this playbook once daily at 6:45 AM:
# /etc/crontab: system-wide crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
45 6 * * * root ansible-playbook selinux_enforcing.yml
You can now feel confident that SELinux modes will be reset to enforcing on all managed nodes to which this playbook is applied.
Wrap up
While it may be useful to temporarily set SELinux to permissive mode for initial troubleshooting, this likely violates your corporate security policies. Sometimes administrators will leave permissive mode in place, either deliberately or accidentally. You can use Ansible to ensure that SELinux is set to enforcing mode for all managed nodes.
[ Improve your skills in managing and using SELinux with this helpful guide. ]
