Chapter 8. Deploying the same SELinux configuration on multiple systems

This section provides two recommended ways for deploying your verified SELinux configuration on multiple systems:

  • Using RHEL System Roles and Ansible
  • Using semanage export and import commands in your scripts

8.1. Introduction to the SELinux system role

RHEL System Roles is a collection of Ansible roles and modules that provide a consistent configuration interface to remotely manage multiple RHEL systems. The SELinux system role enables the following actions:

  • Cleaning local policy modifications related to SELinux booleans, file contexts, ports, and logins.
  • Setting SELinux policy booleans, file contexts, ports, and logins.
  • Restoring file contexts on specified files or directories.

The following table provides an overview of input variables available in the SELinux system role.

Table 8.1. SELinux system role variables

Role variableDescriptionCLI alternative

selinux_policy

Chooses a policy protecting targeted processes or Multi Level Security protection.

SELINUXTYPE in /etc/selinux/config

selinux_state

Switches SELinux modes. See ansible-doc selinux

setenforce and SELINUX in /etc/selinux/config.

selinux_booleans

Enables and disables SELinux booleans. See ansible-doc seboolean.

setsebool

selinux_fcontexts

Adds or removes a SELinux file context mapping. See ansible-doc sefcontext.

semanage fcontext

selinux_restore_dirs

Restores SELinux labels in the file-system tree.

restorecon -R

selinux_ports

Sets SELinux labels on ports. See ansible-doc seport.

semanage port

selinux_logins

Sets users to SELinux user mapping. See ansible-doc selogin.

semanage login

The /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml example playbook installed by the rhel-system-roles package demonstrates how to set the targeted policy in enforcing mode. The playbook also applies several local policy modifications and restores file contexts in the /tmp/test_dir/ directory.

Additional resources

  • For a detailed reference on SELinux role variables, install the rhel-system-roles package, and see the README.md or README.html files in the /usr/share/doc/rhel-system-roles/selinux/ directory.
  • For more information on RHEL System Roles, see Introduction to RHEL System Roles

8.2. Using the SELinux system role to apply SELinux settings on multiple systems

Follow the steps to prepare and apply an Ansible playbook with your verified SELinux settings.

Prerequisites

Procedure

  1. Enable the RHEL Ansible repository, for example:

    # subscription-manager repos --enable ansible-2-for-rhel-8-x86_64-rpms
  2. Install Ansible Engine:

    # yum install ansible
  3. Install RHEL system roles:

    # yum install rhel-system-roles
  4. Apply your playbook with an SELinux system role.

    The following command applies an example playbook, which is a part of the rhel-system-roles package. You can use this playbook as a template:

    # ansible-playbook -i host1,host2,host3 /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml

Additional resources

  • For more information, install the rhel-system-roles package, and see the /usr/share/doc/rhel-system-roles/selinux/ and /usr/share/ansible/roles/rhel-system-roles.selinux/ directories.

8.3. Transferring SELinux settings to another system with semanage

Use the following steps for transferring your custom and verified SELinux settings between RHEL 8-based systems.

Prerequisites

  • The policycoreutils-python-utils package is installed on your system.

Procedure

  1. Export your verified SELinux settings:

    # semanage export -f ./my-selinux-settings.mod
  2. Copy the file with the settings to the new system:

    # scp ./my-selinux-settings.mod new-system-hostname
  3. Log in on the new system:

    $ ssh root@new-system-hostname
  4. Import the settings on the new system:

    new-system-hostname# semanage import -f ./my-selinux-settings.mod

Additional resources

  • semanage-export(8) and semanage-import(8) man pages