Chapter 6. Configuring SElinux using system roles

6.1. Introduction to the SELinux system role

RHEL System Roles is a collection of Ansible roles and modules that provide a consistent configuration interface to remotely manage multiple RHEL systems. The SELinux system role enables the following actions:

  • Cleaning local policy modifications related to SELinux booleans, file contexts, ports, and logins.
  • Setting SELinux policy booleans, file contexts, ports, and logins.
  • Restoring file contexts on specified files or directories.
  • Managing SELinux modules.

The following table provides an overview of input variables available in the SELinux system role.

Table 6.1. SELinux system role variables

Role variableDescriptionCLI alternative


Chooses a policy protecting targeted processes or Multi Level Security protection.

SELINUXTYPE in /etc/selinux/config


Switches SELinux modes. See ansible-doc selinux

setenforce and SELINUX in /etc/selinux/config.


Enables and disables SELinux booleans. See ansible-doc seboolean.



Adds or removes a SELinux file context mapping. See ansible-doc sefcontext.

semanage fcontext


Restores SELinux labels in the file-system tree.

restorecon -R


Sets SELinux labels on ports. See ansible-doc seport.

semanage port


Sets users to SELinux user mapping. See ansible-doc selogin.

semanage login


Installs, enables, disables, or removes SELinux modules.


The /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml example playbook installed by the rhel-system-roles package demonstrates how to set the targeted policy in enforcing mode. The playbook also applies several local policy modifications and restores file contexts in the /tmp/test_dir/ directory.

For a detailed reference on SELinux role variables, install the rhel-system-roles package, and see the or README.html files in the /usr/share/doc/rhel-system-roles/selinux/ directory.

Additional resources

6.2. Using the SELinux system role to apply SELinux settings on multiple systems

Follow the steps to prepare and apply an Ansible playbook with your verified SELinux settings.



  1. Enable the RHEL Ansible repository, for example:

    # subscription-manager repos --enable ansible-2-for-rhel-8-x86_64-rpms
  2. Install Ansible Engine:

    # yum install ansible
  3. Install RHEL system roles:

    # yum install rhel-system-roles
  4. Prepare your playbook. You can either start from the scratch or modify the example playbook installed as a part of the rhel-system-roles package:

    # cp /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml my-selinux-playbook.yml
    # vi my-selinux-playbook.yml
  5. Change the content of the playbook to fit your scenario. For example, the following part ensures that the system installs and enables the selinux-local-1.pp SELinux module:

    - { path: "selinux-local-1.pp", priority: "400" }
  6. Save the changes, and exit the text editor.
  7. Run your playbook on the host1, host2, and host3 systems:

    # ansible-playbook -i host1,host2,host3 my-selinux-playbook.yml

Additional resources

  • For more information, install the rhel-system-roles package, and see the /usr/share/doc/rhel-system-roles/selinux/ and /usr/share/ansible/roles/rhel-system-roles.selinux/ directories.