Skip to main content

Set SELinux enforcing mode with Ansible

Use Ansible to set SELinux to enforcing mode on your managed nodes.
Image
How to set SELinux to enforcing mode

Photo by Andrew Neel from Pexels

It's recommended to ensure that Security-Enhanced Linux (SELinux) is running in enforcing mode on all your systems. However, some people in your organization may set it to permissive mode (or worse, disabled) rather than troubleshooting and fixing issues. You must reset it back to enforcing mode and make sure that all hosts are similarly configured. Ansible is your solution.

[ You might also like: Accessing SELinux policy documentation ]

Use Ansible to set enforcing mode

The following playbook enables SELinux and uses the included targeted policy:

---
- hosts: all
  tasks:
  - name: Enable SELinux in enforcing mode
    ansible.posix.selinux:
      policy: targeted
      state: enforcing

For this playbook to work, you must have the ansible-collection-ansible-posix package installed. You can install it using your package manager. For instance, on Fedora or Red Hat Enterprise Linux:

$ sudo dnf install ansible-collection-ansible-posix

Call this playbook selinux_enforcing.yml. The following cronjob from /etc/crontab runs this playbook once daily at 6:45 AM:

# /etc/crontab: system-wide crontab
 
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 

45 6 * * * root ansible-playbook selinux_enforcing.yml

You can now feel confident that SELinux modes will be reset to enforcing on all managed nodes to which this playbook is applied.

Wrap up

While it may be useful to temporarily set SELinux to permissive mode for initial troubleshooting, this likely violates your corporate security policies. Sometimes administrators will leave permissive mode in place, either deliberately or accidentally. You can use Ansible to ensure that SELinux is set to enforcing mode for all managed nodes. 

[ Improve your skills in managing and using SELinux with this helpful guide. ] 

Check out these related articles on Enable Sysadmin

Topics:   Linux   Linux administration   Security  
Author’s photo

Jörg Kastning

Jörg has been a Sysadmin for over ten years now. His fields of operation include Virtualization (VMware), Linux System Administration and Automation (RHEL), Firewalling (Forcepoint), and Loadbalancing (F5). More about me

On Demand: Red Hat Summit 2021 Virtual Experience

Relive our April event with demos, keynotes, and technical sessions from
experts, all available on demand.

Related Content

OUR BEST CONTENT, DELIVERED TO YOUR INBOX