Set SELinux enforcing mode with Ansible

It's recommended to ensure that Security-Enhanced Linux (SELinux) is running in enforcing mode on all your systems. However, some people in your organization may set it to permissive mode (or worse, disabled) rather than troubleshooting and fixing issues. You must reset it back to enforcing mode and make sure that all hosts are similarly configured. Ansible is your solution.

[ You might also like: Accessing SELinux policy documentation ]

Use Ansible to set enforcing mode

The following playbook enables SELinux and uses the included targeted policy:

---
- hosts: all
  tasks:
  - name: Enable SELinux in enforcing mode
    ansible.posix.selinux:
      policy: targeted
      state: enforcing

For this playbook to work, you must have the ansible-collection-ansible-posix package installed. You can install it using your package manager. For instance, on Fedora or Red Hat Enterprise Linux:

$ sudo dnf install ansible-collection-ansible-posix

Call this playbook selinux_enforcing.yml. The following cronjob from /etc/crontab runs this playbook once daily at 6:45 AM:

# /etc/crontab: system-wide crontab
 
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 

45 6 * * * root ansible-playbook selinux_enforcing.yml

You can now feel confident that SELinux modes will be reset to enforcing on all managed nodes to which this playbook is applied.

Wrap up

While it may be useful to temporarily set SELinux to permissive mode for initial troubleshooting, this likely violates your corporate security policies. Sometimes administrators will leave permissive mode in place, either deliberately or accidentally. You can use Ansible to ensure that SELinux is set to enforcing mode for all managed nodes. 

[ Improve your skills in managing and using SELinux with this helpful guide. ]