Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 23. Configuring SELinux by using RHEL system roles

You can remotely configure and manage SELinux permissions by using the selinux RHEL system role, for example:

  • Cleaning local policy modifications related to SELinux booleans, file contexts, ports, and logins.
  • Setting SELinux policy booleans, file contexts, ports, and logins.
  • Restoring file contexts on specified files or directories.
  • Managing SELinux modules.

There can be multiple cases when files have an incorrect SELinux context. For example, if files are copied or moved to a directory, their SELinux context might not match the new location’s expected context. With an incorrect SELinux context, applications might fail to access the files. To remotely reset the SELinux context on directories on a large number of hosts, you can use the selinux RHEL system role.

Prerequisites

Procedure

  1. Create a playbook file, for example, ~/playbook.yml, with the following content: 

    ---
- name: Managing SELinux
  hosts: managed-node-01.example.com
  tasks:
    - name: Restore SELinux context
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.selinux
      vars:
        selinux_restore_dirs:
          - /var/www/
          - /etc/
    Copy to Clipboard Toggle word wrap

    The settings specified in the example playbook include the following:

    selinux_restore_dirs: <list>
    Defines the list of directories on which the role should reset the SELinux context.

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.selinux/README.md file on the control node.

  2. Validate the playbook syntax: 

    $ ansible-playbook --syntax-check ~/playbook.yml
    Copy to Clipboard Toggle word wrap

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook: 

    $ ansible-playbook ~/playbook.yml
    Copy to Clipboard Toggle word wrap

Verification

  • Display the SELinux context for files or directories for which you have reset the context. For example, to display the context on the /var/www/ directory, enter: 

    # ansible rhel10.example.com -m command -a 'ls -ldZ /var/www/'
drwxr-xr-x. 4 root root system_u:object_r:httpd_sys_content_t:s0 33 Feb 28 13:20 /var/www/
    Copy to Clipboard Toggle word wrap

23.2. Managing SELinux network port labels by using the selinux RHEL system role
Copiar o link

If you want to run a service on a non-standard port, you must set the corresponding SELinux type label on this port. This prevents that SELinux denies permission to the service when the service wants to listen on the non-standard port. By using the selinux RHEL system role, you can automate this task and remotely assign a type label on ports.

Prerequisites

Procedure

  1. Create a playbook file, for example, ~/playbook.yml, with the following content: 

    ---
- name: Managing SELinux
  hosts: managed-node-01.example.com
  tasks:
    - name: Set http_port_t label on network port
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.selinux
      vars:
        selinux_ports:
          - ports: <port_number>
            proto: tcp
            setype: http_port_t
            state: present
    Copy to Clipboard Toggle word wrap

    The settings specified in the example playbook include the following:

    ports: <port_number>
    Defines the port numbers to which you want to assign the SELinux label. Separate multiple values by comma.
    setype: <type_label>
    Defines the SELinux type label.

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.selinux/README.md file on the control node.

  2. Validate the playbook syntax: 

    $ ansible-playbook --syntax-check ~/playbook.yml
    Copy to Clipboard Toggle word wrap

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook: 

    $ ansible-playbook ~/playbook.yml
    Copy to Clipboard Toggle word wrap

Verification

  • Display the port numbers that have the http_port_t label assigned: 

    # ansible managed-node-01.example.com -m shell -a 'semanage port --list | grep http_port_t'
http_port_t      tcp     80, 81, 443, <port_number>, 488, 8008, 8009, 8443, 9000
    Copy to Clipboard Toggle word wrap

23.3. Deploying an SELinux module by using the selinux RHEL system role
Copiar o link

If the default SELinux policies do not meet your requirements, you can create custom modules to allow your application to access the required resources. By using the selinux RHEL system role, you can automate this process and remotely deploy SELinux modules.

Prerequisites

  • You have prepared the control node and the managed nodes.
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The SELinux module you want to deploy is stored in the same directory as the playbook.

  • The SELinux module is available in the Common Intermediate Language (CIL) or policy package (PP) format.

    If you are using a PP module, ensure that policydb version on the managed nodes is the same or later than the version used to build the PP module.

Procedure

  1. Create a playbook file, for example, ~/playbook.yml, with the following content: 

    ---
- name: Managing SELinux
  hosts: managed-node-01.example.com
  tasks:
    - name: Deploying a SELinux module
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.selinux
      vars:
        selinux_modules:
          - path: <module_file>
	    priority: <value>
            state: enabled
    Copy to Clipboard Toggle word wrap

    The settings specified in the example playbook include the following:

    path: <module_file>
    Sets the path to the module file on the control node.
    priority: <value>
    Sets the SELinux module priority. 400 is the default.
    state: <value>

    Defines the state of the module:

    • enabled: Install or enable the module.
    • disabled: Disable a module.
    • absent: Remove a module.

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.selinux/README.md file on the control node.

  2. Validate the playbook syntax: 

    $ ansible-playbook --syntax-check ~/playbook.yml
    Copy to Clipboard Toggle word wrap

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook: 

    $ ansible-playbook ~/playbook.yml
    Copy to Clipboard Toggle word wrap

Verification

  • Remotely display the list of SELinux modules and filter for the one you used in the playbook: 

    # ansible managed-node-01.example.com -m shell -a 'semodule -l | grep <module>'
    Copy to Clipboard Toggle word wrap

    If the module is listed, it is installed and enabled.

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat