Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 10. Deploying the same SELinux configuration on multiple systems

This section provides two recommended ways for deploying your verified SELinux configuration on multiple systems:

  • Using RHEL System Roles and Ansible
  • Using semanage export and import commands in your scripts

10.1. Introduction to the selinux System Role

RHEL System Roles is a collection of Ansible roles and modules that provide a consistent configuration interface to remotely manage multiple RHEL systems. The selinux System Role enables the following actions:

  • Cleaning local policy modifications related to SELinux booleans, file contexts, ports, and logins.
  • Setting SELinux policy booleans, file contexts, ports, and logins.
  • Restoring file contexts on specified files or directories.
  • Managing SELinux modules.

The following table provides an overview of input variables available in the selinux System Role.

Table 10.1. selinux System Role variables

Role variableDescriptionCLI alternative

selinux_policy

Chooses a policy protecting targeted processes or Multi Level Security protection.

SELINUXTYPE in /etc/selinux/config

selinux_state

Switches SELinux modes.

setenforce and SELINUX in /etc/selinux/config.

selinux_booleans

Enables and disables SELinux booleans.

setsebool

selinux_fcontexts

Adds or removes a SELinux file context mapping.

semanage fcontext

selinux_restore_dirs

Restores SELinux labels in the file-system tree.

restorecon -R

selinux_ports

Sets SELinux labels on ports.

semanage port

selinux_logins

Sets users to SELinux user mapping.

semanage login

selinux_modules

Installs, enables, disables, or removes SELinux modules.

semodule

The /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml example playbook installed by the rhel-system-roles package demonstrates how to set the targeted policy in enforcing mode. The playbook also applies several local policy modifications and restores file contexts in the /tmp/test_dir/ directory.

For a detailed reference on selinux role variables, install the rhel-system-roles package, and see the README.md or README.html files in the /usr/share/doc/rhel-system-roles/selinux/ directory.

Additional resources

10.2. Using the selinux System Role to apply SELinux settings on multiple systems

Follow the steps to prepare and apply an Ansible playbook with your verified SELinux settings.

Prerequisites

  • You have prepared the control node and the managed nodes
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.

Procedure

  1. Prepare your playbook. You can either start from the scratch or modify the example playbook installed as a part of the rhel-system-roles package: 

    # cp /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml my-selinux-playbook.yml
# vi my-selinux-playbook.yml

  2. Change the content of the playbook to fit your scenario. For example, the following part ensures that the system installs and enables the selinux-local-1.pp SELinux module: 

    selinux_modules:
- { path: "selinux-local-1.pp", priority: "400" }
  3. Save the changes, and exit the text editor.

  4. Run your playbook on the host1, host2, and host3 systems: 

    # ansible-playbook -i host1,host2,host3 my-selinux-playbook.yml

Additional resources

  • For more information, install the rhel-system-roles package, and see the /usr/share/doc/rhel-system-roles/selinux/ and /usr/share/ansible/roles/rhel-system-roles.selinux/ directories.

10.3. Transferring SELinux settings to another system with semanage

Use the following steps for transferring your custom and verified SELinux settings between RHEL 8-based systems.

Prerequisites

  • The policycoreutils-python-utils package is installed on your system.

Procedure

  1. Export your verified SELinux settings: 

    # semanage export -f ./my-selinux-settings.mod

  2. Copy the file with the settings to the new system: 

    # scp ./my-selinux-settings.mod new-system-hostname:

  3. Log in on the new system: 

    $ ssh root@new-system-hostname

  4. Import the settings on the new system: 

    new-system-hostname# semanage import -f ./my-selinux-settings.mod

Additional resources

  • semanage-export(8) and semanage-import(8) man pages