community.general.selogin – Manages linux user to SELinux user mapping

Note

This plugin is part of the community.general collection (version 3.8.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.selogin.

Synopsis

  • Manages linux user to SELinux user mapping

Requirements

The below requirements are needed on the host that executes this module.

  • libselinux

  • policycoreutils

Parameters

Parameter

Comments

ignore_selinux_state

boolean

Run independent of selinux runtime state

Choices:

  • no ← (default)

  • yes

login

string / required

a Linux user

reload

boolean

Reload SELinux policy after commit.

Choices:

  • no

  • yes ← (default)

selevel

aliases: serange

string

MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range.

Default: “s0”

seuser

string

SELinux user name

state

string

Desired mapping value.

Choices:

  • present ← (default)

  • absent

Notes

Note

  • The changes are persistent across reboots

  • Not tested on any debian based system

Examples

- name: Modify the default user on the system to the guest_u user
  community.general.selogin:
    login: __default__
    seuser: guest_u
    state: present

- name: Assign gijoe user on an MLS machine a range and to the staff_u user
  community.general.selogin:
    login: gijoe
    seuser: staff_u
    serange: SystemLow-Secret
    state: present

- name: Assign all users in the engineering group to the staff_u user
  community.general.selogin:
    login: '%engineering'
    seuser: staff_u
    state: present

Authors

  • Dan Keder (@dankeder)

  • Petr Lautrbach (@bachradsusi)

  • James Cassell (@jamescassell)