sefcontext – Manages SELinux file context mapping definitions¶
New in version 2.2.
Synopsis¶
- Manages SELinux file context mapping definitions.
- Similar to the
semanage fcontext
command.
Requirements¶
The below requirements are needed on the host that executes this module.
- libselinux-python
- policycoreutils-python
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
ftype
string
|
Default: "a"
|
File type.
The following file type options can be passed;
a for all files, b for block devices, c for character devices, d for directories, f for regular files, l for symbolic links, p for named pipes, s for socket files. |
reload
boolean
|
|
Reload SELinux policy after commit.
Note that this does not apply SELinux file contexts to existing files.
|
selevel
string
|
SELinux range for the specified target.
aliases: serange |
|
setype
-
/ required
|
SELinux type for the specified target.
|
|
seuser
string
|
SELinux user for the specified target.
|
|
state
string
|
|
Whether the SELinux file context must be
absent or present . |
target
string
/ required
|
Target path (expression).
aliases: path |
Notes¶
Note
- The changes are persistent across reboots.
- The sefcontext module does not modify existing files to the new SELinux context(s), so it is advisable to first create the SELinux file contexts before creating files, or run
restorecon
manually for the existing files that require the new SELinux file contexts. - Not applying SELinux fcontexts to existing files is a deliberate decision as it would be unclear what reported changes would entail to, and there’s no guarantee that applying SELinux fcontext does not pick up other unrelated prior changes.
Examples¶
- name: Allow apache to modify files in /srv/git_repos
sefcontext:
target: '/srv/git_repos(/.*)?'
setype: httpd_git_rw_content_t
state: present
- name: Apply new SELinux file context to filesystem
command: restorecon -irv /srv/git_repos
Status¶
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors¶
- Dag Wieers (@dagwieers)
Hint
If you notice any issues in this documentation you can edit this document to improve it.