Red Hat SummitChapter 10. Deploying the same SELinux configuration on multiple systems
You can deploy your verified SELinux configuration on multiple systems by using one of the following methods:
- Using RHEL system roles and Ansible
- Using the RHEL web console
-
Using
semanageexport and import commands in your scripts
10.1. Restoring the SELinux context on directories by using the selinux RHEL system role
There can be multiple cases when files have an incorrect SELinux context than. For example, if files are copied or moved to a directory, their SELinux context might not match the new location’s expected context. With an incorrect SELinux context, applications might fail to access the files. To remotely reset the SELinux context on directories on a large number of hosts, you can use the selinux RHEL system role.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudopermissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml, with the following content:Copy to Clipboard Copied! Toggle word wrap Toggle overflow --- - name: Managing SELinux hosts: managed-node-01.example.com tasks: - name: Restore SELinux context ansible.builtin.include_role: name: redhat.rhel_system_roles.selinux vars: selinux_restore_dirs: - /var/www/ - /etc/--- - name: Managing SELinux hosts: managed-node-01.example.com tasks: - name: Restore SELinux context ansible.builtin.include_role: name: redhat.rhel_system_roles.selinux vars: selinux_restore_dirs: - /var/www/ - /etc/The settings specified in the example playbook include the following:
selinux_restore_dirs: <list>- Defines the list of directories on which the role should reset the SELinux context.
For details about all variables used in the playbook, see the
/usr/share/ansible/roles/rhel-system-roles.selinux/README.mdfile on the control node.Validate the playbook syntax:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible-playbook --syntax-check ~/playbook.yml
$ ansible-playbook --syntax-check ~/playbook.ymlNote that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible-playbook ~/playbook.yml
$ ansible-playbook ~/playbook.yml
Verification
Display the SELinux context for files or directories for which you have reset the context. For example, to display the context on the
/var/www/directory, enter:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible rhel9.example.com -m command -a 'ls -ldZ /var/www/'
# ansible rhel9.example.com -m command -a 'ls -ldZ /var/www/' drwxr-xr-x. 4 root root system_u:object_r:httpd_sys_content_t:s0 33 Feb 28 13:20 /var/www/
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.selinux/README.mdfile -
/usr/share/doc/rhel-system-roles/selinux/directory
10.2. Managing SELinux network port labels by using the selinux RHEL system role
If you want to run a service on a non-standard port, you must set the corresponding SELinux type label on this port. This prevents that SELinux denies permission to the service when the service wants to listen on the non-standard port. By using the selinux RHEL system role, you can automate this task and remotely assign a type label on ports.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudopermissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml, with the following content:Copy to Clipboard Copied! Toggle word wrap Toggle overflow --- - name: Managing SELinux hosts: managed-node-01.example.com tasks: - name: Set http_port_t label on network port ansible.builtin.include_role: name: redhat.rhel_system_roles.selinux vars: selinux_ports: - ports: <port_number> proto: tcp setype: http_port_t state: present--- - name: Managing SELinux hosts: managed-node-01.example.com tasks: - name: Set http_port_t label on network port ansible.builtin.include_role: name: redhat.rhel_system_roles.selinux vars: selinux_ports: - ports: <port_number> proto: tcp setype: http_port_t state: presentThe settings specified in the example playbook include the following:
ports: <port_number>- Defines the port numbers to which you want to assign the SELinux label. Separate multiple values by comma.
setype: <type_label>- Defines the SELinux type label.
For details about all variables used in the playbook, see the
/usr/share/ansible/roles/rhel-system-roles.selinux/README.mdfile on the control node.Validate the playbook syntax:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible-playbook --syntax-check ~/playbook.yml
$ ansible-playbook --syntax-check ~/playbook.ymlNote that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible-playbook ~/playbook.yml
$ ansible-playbook ~/playbook.yml
Verification
Display the port numbers that have the
http_port_tlabel assigned:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible managed-node-01.example.com -m shell -a 'semanage port --list | grep http_port_t'
# ansible managed-node-01.example.com -m shell -a 'semanage port --list | grep http_port_t' http_port_t tcp 80, 81, 443, <port_number>, 488, 8008, 8009, 8443, 9000
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.selinux/README.mdfile -
/usr/share/doc/rhel-system-roles/selinux/directory
10.3. Deploying an SELinux module by using the selinux RHEL system role
If the default SELinux policies do not meet your requirements, you can create custom modules to allow your application to access the required resources. By using the selinux RHEL system role, you can automate this process and remotely deploy SELinux modules.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudopermissions on them. - The SELinux module you want to deploy is stored in the same directory as the playbook.
The SELinux module is available in the Common Intermediate Language (CIL) or policy package (PP) format.
If you are using a PP module, ensure that
policydbversion on the managed nodes is the same or later than the version used to build the PP module.
Procedure
Create a playbook file, for example
~/playbook.yml, with the following content:Copy to Clipboard Copied! Toggle word wrap Toggle overflow --- - name: Managing SELinux hosts: managed-node-01.example.com tasks: - name: Deploying a SELinux module ansible.builtin.include_role: name: redhat.rhel_system_roles.selinux vars: selinux_modules: - path: <module_file> priority: <value> state: enabled--- - name: Managing SELinux hosts: managed-node-01.example.com tasks: - name: Deploying a SELinux module ansible.builtin.include_role: name: redhat.rhel_system_roles.selinux vars: selinux_modules: - path: <module_file> priority: <value> state: enabledThe settings specified in the example playbook include the following:
path: <module_file>- Sets the path to the module file on the control node.
priority: <value>-
Sets the SELinux module priority.
400is the default. state: <value>Defines the state of the module:
-
enabled: Install or enable the module. -
disabled: Disable a module. -
absent: Remove a module.
-
For details about all variables used in the playbook, see the
/usr/share/ansible/roles/rhel-system-roles.selinux/README.mdfile on the control node.Validate the playbook syntax:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible-playbook --syntax-check ~/playbook.yml
$ ansible-playbook --syntax-check ~/playbook.ymlNote that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible-playbook ~/playbook.yml
$ ansible-playbook ~/playbook.yml
Verification
Remotely display the list of SELinux modules and filter for the one you used in the playbook:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ansible managed-node-01.example.com -m shell -a 'semodule -l | grep <module>'
# ansible managed-node-01.example.com -m shell -a 'semodule -l | grep <module>'If the module is listed, it is installed and enabled.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.selinux/README.mdfile -
/usr/share/doc/rhel-system-roles/selinux/directory
10.4. Creating an SELinux configuration Ansible playbook in the web console
In the web console, you can generate a shell script or an Ansible playbook of your SELinux configuration. In case of the Ansible playbook, you can conveniently apply the configuration on multiple systems.
Prerequisites
- You have installed the RHEL 8 web console.
- You have enabled the cockpit service.
Your user account is allowed to log in to the web console.
For instructions, see Installing and enabling the web console.
Procedure
Log in to the RHEL 8 web console.
For details, see Logging in to the web console.
- Click SELinux.
Click .
A window with the generated script opens. You can navigate between a shell script and an Ansible playbook generation options tab.
- Click the button to select the script or playbook and apply it.
As a result, you have an automation script that you can apply to more machines.
Additional resources
- Troubleshooting problems related to SELinux
- Deploying the same SELinux configuration on multiple systems
-
ansible-playbook(1)man page on your system
10.5. Transferring SELinux settings to another system with semanage
Use the following steps for transferring your custom and verified SELinux settings between RHEL 8-based systems.
Prerequisites
-
The
policycoreutils-python-utilspackage is installed on your system.
Procedure
Export your verified SELinux settings:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow semanage export -f ./my-selinux-settings.mod
# semanage export -f ./my-selinux-settings.modCopy the file with the settings to the new system:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow scp ./my-selinux-settings.mod new-system-hostname:
# scp ./my-selinux-settings.mod new-system-hostname:Log in on the new system:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ssh root@new-system-hostname
$ ssh root@new-system-hostnameImport the settings on the new system:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow new-system-hostname# semanage import -f ./my-selinux-settings.mod
new-system-hostname# semanage import -f ./my-selinux-settings.mod
Additional resources
-
semanage-export(8)andsemanage-import(8)man pages on your system
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}