AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Installing and Enabling SELinux with Ansible on RHEL 8

By Luca Berton · Published 2024-01-01 · Category: installation

Learn how to use Ansible to install, configure, and enable SELinux on RHEL 8. Ensure security and compliance through automation.

SELinux (Security-Enhanced Linux) is a vital security feature in RHEL 8 that enforces mandatory access control (MAC). This guide demonstrates how to automate the installation and configuration of SELinux using Ansible.

Why Enable SELinux?

SELinux provides enhanced security by restricting access based on policies. It prevents unauthorized access and mitigates security risks.

Key Benefits of SELinux:

Mandatory Access Control (MAC): Restricts access based on predefined security policies. • Process Isolation: Prevents unauthorized processes from accessing sensitive resources. • Enhanced Security: Reduces the attack surface in enterprise environments.

See also: Ansible on AlmaLinux 9.5: SELinux Targeted Policy Hardening Complete Guide

Prerequisites

Before running the Ansible playbook, ensure: You have a control node with Ansible installed. The target system (RHEL 8) is accessible via SSH. You have sudo/root privileges on the target machine.

Writing an Ansible Playbook to Install SELinux

1. Installing SELinux Packages

We need to ensure that the necessary SELinux packages are installed on the target system.

- name: Ensure SELinux packages are installed
  yum:
    name:
      - libselinux
      - libselinux-utils
      - libsemanage
      - policycoreutils
      - policycoreutils-python-utils
    state: present

2. Configuring SELinux Mode

The SELinux configuration file (/etc/selinux/config) needs to be modified to set the mode to enforcing.

- name: Ensure SELinux is set to enforcing
  lineinfile:
    path: /etc/selinux/config
    regexp: '^SELINUX='
    line: 'SELINUX=enforcing'
    backup: yes

3. Checking Current SELinux Status

Before enabling SELinux, check its current mode.

- name: Get current SELinux mode
  command: getenforce
  register: selinux_mode
  changed_when: false
  ignore_errors: true

4. Enabling SELinux if Not Already Enforcing

If SELinux is not in enforcing mode, we enable it dynamically.

- name: Enable SELinux enforcing mode if not already enabled
  command: setenforce 1
  when: selinux_mode.stdout != "Enforcing"
  ignore_errors: true

5. Rebooting the System if SELinux Was Disabled

If SELinux was disabled, the system needs a reboot to fully enable it.

- name: Reboot system if SELinux was disabled
  reboot:
  when: selinux_mode.stdout == "Disabled"

See also: Ansible on Fedora 43: SELinux Policy Management Complete Guide

Full Ansible Playbook

Save the following playbook as install_selinux.yml:

---
- name: Install and Enable SELinux on RHEL 8
  hosts: all
  become: yes
  tasks:
    - name: Ensure SELinux packages are installed
      yum:
        name:
          - libselinux
          - libselinux-utils
          - libsemanage
          - policycoreutils
          - policycoreutils-python-utils
        state: present

- name: Ensure SELinux is set to enforcing in config
      lineinfile:
        path: /etc/selinux/config
        regexp: '^SELINUX='
        line: 'SELINUX=enforcing'
        backup: yes


- name: Get current SELinux mode
      command: getenforce
      register: selinux_mode
      changed_when: false
      ignore_errors: true


- name: Enable SELinux enforcing mode if not already enabled
      command: setenforce 1
      when: selinux_mode.stdout != "Enforcing"
      ignore_errors: true


- name: Reboot system if SELinux was disabled
      reboot:
      when: selinux_mode.stdout == "Disabled"

Running the Playbook

To execute the playbook, run the following command:

ansible-playbook -i inventory.ini install_selinux.yml

Replace inventory.ini with your inventory file.

See also: Ansible on Fedora 44: SELinux Policy Management Complete Guide

Verification

After execution, verify SELinux is in enforcing mode:

getenforce

Check the SELinux status:

sestatus

Best Practices for SELinux Management with Ansible

Automate Compliance: Use Ansible to enforce SELinux across multiple servers. • Monitor SELinux Logs: Review /var/log/audit/audit.log for policy violations. • Use SELinux Modules: Create custom SELinux policies using the semanage command.

Common Use Cases for Automating SELinux

Security Compliance: Ensure all RHEL 8 systems adhere to security policies. Infrastructure as Code (IaC): Define and enforce SELinux settings programmatically. System Hardening: Improve security by preventing unauthorized access.

Conclusion

By leveraging Ansible, you can automate the installation and configuration of SELinux on RHEL 8, ensuring security and compliance in your infrastructure.

Learn More About SELinux

Related Articles

fact-based conditionals in Ansiblestatic and dynamic Ansible inventoryAnsible Ignore Errors Guideprivilege escalation with Ansible become

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home