It's recommended to ensure that Security-Enhanced Linux (SELinux) is running in enforcing mode on all your systems. However, some people in your organization may set it to permissive mode (or worse, disabled) rather than troubleshooting and fixing issues. You must reset it back to enforcing mode and make sure that all hosts are similarly configured. Ansible is your solution.
[ You might also like: Accessing SELinux policy documentation ]
Use Ansible to set enforcing mode
The following playbook enables SELinux and uses the included targeted policy:
---
- hosts: all
tasks:
- name: Enable SELinux in enforcing mode
ansible.posix.selinux:
policy: targeted
state: enforcing
For this playbook to work, you must have the ansible-collection-ansible-posix package installed. You can install it using your package manager. For instance, on Fedora or Red Hat Enterprise Linux:
$ sudo dnf install ansible-collection-ansible-posix
Call this playbook selinux_enforcing.yml. The following cronjob from /etc/crontab runs this playbook once daily at 6:45 AM:
# /etc/crontab: system-wide crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
45 6 * * * root ansible-playbook selinux_enforcing.yml
You can now feel confident that SELinux modes will be reset to enforcing on all managed nodes to which this playbook is applied.
Wrap up
While it may be useful to temporarily set SELinux to permissive mode for initial troubleshooting, this likely violates your corporate security policies. Sometimes administrators will leave permissive mode in place, either deliberately or accidentally. You can use Ansible to ensure that SELinux is set to enforcing mode for all managed nodes.
[ Improve your skills in managing and using SELinux with this helpful guide. ]
About the author
Jörg has been a Sysadmin for over ten years now. His fields of operation include Virtualization (VMware), Linux System Administration and Automation (RHEL), Firewalling (Forcepoint), and Loadbalancing (F5). He is a member of the Red Hat Accelerators Community and author of his personal blog at https://www.my-it-brain.de.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit