community.general.sefcontext module – Manages SELinux file context mapping definitions
Note
This module is part of the community.general collection (version 10.1.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.general.sefcontext
.
Synopsis
Manages SELinux file context mapping definitions.
Similar to the
semanage fcontext
command.
Requirements
The below requirements are needed on the host that executes this module.
libselinux-python
policycoreutils-python
Parameters
Parameter |
Comments |
---|---|
The file type that should have SELinux contexts applied. The following file type options are available:
Choices:
|
|
Useful for scenarios (chrooted environment) that you can’t get the real SELinux state. Choices:
|
|
Reload SELinux policy after commit. Note that this does not apply SELinux file contexts to existing files. Choices:
|
|
SELinux range for the specified Defaults to |
|
SELinux type for the specified |
|
SELinux user for the specified Defaults to |
|
Whether the SELinux file context must be Specifying Choices:
|
|
Target path (expression). |
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: full |
Will return details on what has changed (or possibly needs changing in |
|
Platform: linux |
Target OS/families that can be operated against. |
Notes
Note
The changes are persistent across reboots.
setype
andsubstitute
are mutually exclusive.If
state=present
then one ofsetype
orsubstitute
is mandatory.The community.general.sefcontext module does not modify existing files to the new SELinux context(s), so it is advisable to first create the SELinux file contexts before creating files, or run
restorecon
manually for the existing files that require the new SELinux file contexts.Not applying SELinux fcontexts to existing files is a deliberate decision as it would be unclear what reported changes would entail to, and there’s no guarantee that applying SELinux fcontext does not pick up other unrelated prior changes.
Examples
- name: Allow apache to modify files in /srv/git_repos
community.general.sefcontext:
target: '/srv/git_repos(/.*)?'
setype: httpd_sys_rw_content_t
state: present
- name: Substitute file contexts for path /srv/containers with /var/lib/containers
community.general.sefcontext:
target: /srv/containers
substitute: /var/lib/containers
state: present
- name: Delete file context path substitution for /srv/containers
community.general.sefcontext:
target: /srv/containers
substitute: /var/lib/containers
state: absent
- name: Delete any file context mappings for path /srv/git
community.general.sefcontext:
target: /srv/git
state: absent
- name: Apply new SELinux file context to filesystem
ansible.builtin.command: restorecon -irv /srv/git_repos