Essentially provide mechanisms to manage local customizations:

• Set enforcing/permissive
• restorecon portions of filesystem tree
• Set/Get Booleans
• Set/Get file contexts
• Manage logins
• Manage ports

selinux: Configures the SELinux mode and policy.

seboolean: Toggles SELinux booleans.

sefcontext: Manages SELinux file context mapping definitions Similar to the semanage fcontext command.

seport: Manages SELinux network port type definitions.

selogin: Manages linux user to SELinux user mapping

The general usage is demonstrated in selinux-playbook.yml playbook.

This role can be configured using variables as it is described below.

vars:
  [ see below ]
roles:
  - role: linux-system-roles.selinux
    become: true

By default, the modifications specified in selinux_booleans, selinux_fcontexts, selinux_ports and selinux_logins are applied on top of pre-existing modifications. To purge local modifications prior to setting new ones, set following variables to true:

• SELinux booleans: selinux_booleans_purge
• SELinux file contexts: selinux_fcontexts_purge
• SELinux ports: selinux_ports_purge
• SELinux user mapping: selinux_logins_purge

You can purge all modifications by using shorthand:

selinux_all_purge: true

selinux_policy: targeted
selinux_state: enforcing

Allowed values for selinux_state are disabled, enforcing and permissive.

If selinux_state is not set, the SELinux state is not changed. If selinux_policy is not set and SELinux is to be enabled, it defaults to targeted. If SELinux is already enabled, the policy is not changed.

selinux_booleans:
  - { name: 'samba_enable_home_dirs', state: 'on' }
  - { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }

selinux_fcontexts:
  - { target: '/tmp/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd', state: 'present' }

Individual modifications can be dropped by setting state to absent.

selinux_ports:
  - { ports: '22100', proto: 'tcp', setype: 'ssh_port_t', state: 'present' }

selinux_restore_dirs:
  - /tmp/test_dir

    selinux_logins:
      - { login: 'plautrba', seuser: 'staff_u', state: 'absent' }
      - { login: '__default__', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }

This custom fact is set to true if system reboot is necessary when SELinux is set from disabled to enabled or vice versa. Otherwise the fact is set to false. In the case that system reboot is needed, it will be indicated by returning failure from the role which needs to be handled using a block:...rescue: construct. The reboot needs to be performed in the playbook, the role itself never reboots the managed host. After the reboot the role needs to be reapplied to finish the changes.