Installing and Enabling SELinux with Ansible on RHEL 8

Learn how to use Ansible to install, configure, and enable SELinux on RHEL 8. Ensure security and compliance through automation.

Installing and Enabling SELinux with Ansible on RHEL 8

January 29, 2025
Posted by Luca Berton
ansible, selinux, rhel8, automation, devops, infrastructure as code, security

SELinux (Security-Enhanced Linux) is a vital security feature in RHEL 8 that enforces mandatory access control (MAC). This guide demonstrates how to automate the installation and configuration of SELinux using Ansible.

Why Enable SELinux?

SELinux provides enhanced security by restricting access based on policies. It prevents unauthorized access and mitigates security risks.

Key Benefits of SELinux:

Mandatory Access Control (MAC): Restricts access based on predefined security policies.
Process Isolation: Prevents unauthorized processes from accessing sensitive resources.
Enhanced Security: Reduces the attack surface in enterprise environments.

Prerequisites

Before running the Ansible playbook, ensure:

You have a control node with Ansible installed.
The target system (RHEL 8) is accessible via SSH.
You have sudo/root privileges on the target machine.

Writing an Ansible Playbook to Install SELinux

1. Installing SELinux Packages

We need to ensure that the necessary SELinux packages are installed on the target system.

- name: Ensure SELinux packages are installed
  yum:
    name:
      - libselinux
      - libselinux-utils
      - libsemanage
      - policycoreutils
      - policycoreutils-python-utils
    state: present

2. Configuring SELinux Mode

The SELinux configuration file (/etc/selinux/config) needs to be modified to set the mode to enforcing.

- name: Ensure SELinux is set to enforcing
  lineinfile:
    path: /etc/selinux/config
    regexp: '^SELINUX='
    line: 'SELINUX=enforcing'
    backup: yes

3. Checking Current SELinux Status

Before enabling SELinux, check its current mode.

- name: Get current SELinux mode
  command: getenforce
  register: selinux_mode
  changed_when: false
  ignore_errors: true

4. Enabling SELinux if Not Already Enforcing

If SELinux is not in enforcing mode, we enable it dynamically.

- name: Enable SELinux enforcing mode if not already enabled
  command: setenforce 1
  when: selinux_mode.stdout != "Enforcing"
  ignore_errors: true

5. Rebooting the System if SELinux Was Disabled

If SELinux was disabled, the system needs a reboot to fully enable it.

- name: Reboot system if SELinux was disabled
  reboot:
  when: selinux_mode.stdout == "Disabled"

Full Ansible Playbook

Save the following playbook as install_selinux.yml:

---
- name: Install and Enable SELinux on RHEL 8
  hosts: all
  become: yes
  tasks:
    - name: Ensure SELinux packages are installed
      yum:
        name:
          - libselinux
          - libselinux-utils
          - libsemanage
          - policycoreutils
          - policycoreutils-python-utils
        state: present

    - name: Ensure SELinux is set to enforcing in config
      lineinfile:
        path: /etc/selinux/config
        regexp: '^SELINUX='
        line: 'SELINUX=enforcing'
        backup: yes

    - name: Get current SELinux mode
      command: getenforce
      register: selinux_mode
      changed_when: false
      ignore_errors: true

    - name: Enable SELinux enforcing mode if not already enabled
      command: setenforce 1
      when: selinux_mode.stdout != "Enforcing"
      ignore_errors: true

    - name: Reboot system if SELinux was disabled
      reboot:
      when: selinux_mode.stdout == "Disabled"

Running the Playbook

To execute the playbook, run the following command:

ansible-playbook -i inventory.ini install_selinux.yml

Replace inventory.ini with your inventory file.

Verification

After execution, verify SELinux is in enforcing mode:

getenforce

Check the SELinux status:

sestatus

Best Practices for SELinux Management with Ansible

Automate Compliance: Use Ansible to enforce SELinux across multiple servers.
Monitor SELinux Logs: Review /var/log/audit/audit.log for policy violations.
Use SELinux Modules: Create custom SELinux policies using the semanage command.

Common Use Cases for Automating SELinux

Security Compliance: Ensure all RHEL 8 systems adhere to security policies.
Infrastructure as Code (IaC): Define and enforce SELinux settings programmatically.
System Hardening: Improve security by preventing unauthorized access.

Conclusion

By leveraging Ansible, you can automate the installation and configuration of SELinux on RHEL 8, ensuring security and compliance in your infrastructure.

Learn More About SELinux

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Explore practical examples of SELinux automation in Ansible by Examples.

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Donate

Support this project by contributing today.

Patreon Buy me a Pizza