ansible.posix.selinux – Change policy and state of SELinux

Note

This plugin is part of the ansible.posix collection (version 1.3.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install ansible.posix.

To use it in a playbook, specify: ansible.posix.selinux.

New in version 1.0.0: of ansible.posix

Synopsis

  • Configures the SELinux mode and policy.

  • A reboot may be required after usage.

  • Ansible will not issue this reboot but will let you know when it is required.

Requirements

The below requirements are needed on the host that executes this module.

  • libselinux-python

Parameters

Parameter Choices/Defaults Comments
configfile
string
Default:
"/etc/selinux/config"
The path to the SELinux configuration file, if non-standard.

aliases: conf, file
policy
string
The name of the SELinux policy to use (e.g. targeted) will be required if state is not disabled.
state
string / required
    Choices:
  • disabled
  • enforcing
  • permissive
The SELinux mode.

Examples

- name: Enable SELinux
  ansible.posix.selinux:
    policy: targeted
    state: enforcing

- name: Put SELinux in permissive mode, logging actions that would be blocked.
  ansible.posix.selinux:
    policy: targeted
    state: permissive

- name: Disable SELinux
  ansible.posix.selinux:
    state: disabled

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
configfile
string
always
Path to SELinux configuration file.

Sample:
/etc/selinux/config
msg
string
always
Messages that describe changes that were made.

Sample:
Config SELinux state changed from 'disabled' to 'permissive'
policy
string
always
Name of the SELinux policy.

Sample:
targeted
reboot_required
boolean
always
Whether or not an reboot is required for the changes to take effect.

Sample:
True
state
string
always
SELinux mode.

Sample:
enforcing


Authors