Selinux Operations

Provides operations to set SELinux file contexts, booleans and port types.

Facts used in these operations: selinux.FileContext, selinux.FileContextMapping, selinux.SEBoolean, selinux.SEPort, selinux.SEPorts, server.Which.

selinux.boolean

Set the specified SELinux boolean to the desired state.

selinux.boolean(bool_name: str, value: Boolean, persistent=False, **kwargs)

  • boolean: name of an SELinux boolean

  • value: desired state of the boolean

  • persistent: whether to write updated policy or not

Note: This operation requires root privileges.

Example:

selinux.boolean(
    name='Allow Apache to connect to LDAP server',
    'httpd_can_network_connect',
    Boolean.ON,
    persistent=True
)
Note:

This operation also inherits all global arguments.

selinux.file_context

Set the SELinux type for the specified path to the specified value.

selinux.file_context(path: str, se_type: str, **kwargs)

  • path: the target path (expression) for the context

  • se_type: the SELinux type for the given target

Example:

selinux.file_context(
    name='Allow /foo/bar to be served by the web server',
    '/foo/bar',
    'httpd_sys_content_t'
)
Note:

This operation also inherits all global arguments.

selinux.file_context_mapping

Set the SELinux file context mapping for paths matching the target.

selinux.file_context_mapping(target: str, se_type: str | None=None, present=True, **kwargs)

  • target: the target path (expression) for the context

  • se_type: the SELinux type for the given target

  • present: whether to add or remove the target -> context mapping

Note: file_context does not change the SELinux file context for existing files so restorecon may need to be run manually if the file contexts cannot be created before the related files.

Example:

selinux.file_context_mapping(
    name='Allow Apache to serve content from the /web directory',
    r'/web(/.*)?',
    se_type='httpd_sys_content_t'
)
Note:

This operation also inherits all global arguments.

selinux.port

Set the SELinux type for the specified protocol and port.

selinux.port(protocol: Protocol | str, port_num: int, se_type: str | None=None, present=True, **kwargs)

  • protocol: the protocol: (udp|tcp|sctp|dccp)

  • port: the port

  • se_type: the SELinux type for the given port

  • present: whether to add or remove the SELinux type for the port

Note: This operation requires root privileges.

Example:

selinux.port(
    name='Allow Apache to provide service on port 2222',
    Protocol.TCP,
    2222,
    'http_port_t',
)
Note:

This operation also inherits all global arguments.