Execute calls on selinux
Note
This module requires the semanage
, setsebool
, and semodule
commands to be available on the minion. On RHEL-based distributions,
ensure that the policycoreutils
and policycoreutils-python
packages are installed. If not on a Fedora or RHEL-based distribution,
consult the selinux documentation for your distribution to ensure that the
proper packages are installed.
salt.modules.selinux.
fcontext_add_or_delete_policy
(action, name, filetype=None, sel_type=None, sel_user=None, sel_level=None)¶New in version 2017.7.0.
Sets or deletes the SELinux policy for a given filespec and other optional parameters.
Returns the result of the call to semanage.
Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.
man semanage-fcontext
. Defaults to 'a'
(all files).semanage login -l
to determine which ones
are available to you.CLI Example:
salt '*' selinux.fcontext_add_or_delete_policy add my-policy
salt.modules.selinux.
fcontext_apply_policy
(name, recursive=False)¶New in version 2017.7.0.
Applies SElinux policies to filespec using restorecon [-R] filespec. Returns dict with changes if successful, the output of the restorecon command otherwise.
CLI Example:
salt '*' selinux.fcontext_apply_policy my-policy
salt.modules.selinux.
fcontext_get_policy
(name, filetype=None, sel_type=None, sel_user=None, sel_level=None)¶New in version 2017.7.0.
Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found.
Returned keys are:
For a more in-depth explanation of the selinux context, go to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-SELinux_Contexts.html
CLI Example:
salt '*' selinux.fcontext_get_policy my-policy
salt.modules.selinux.
fcontext_policy_is_applied
(name, recursive=False)¶New in version 2017.7.0.
Returns an empty string if the SELinux policy for a given filespec is applied, returns string with differences in policy and actual situation otherwise.
CLI Example:
salt '*' selinux.fcontext_policy_is_applied my-policy
salt.modules.selinux.
filetype_id_to_string
(filetype='a')¶New in version 2017.7.0.
Translates SELinux filetype single-letter representation to a more human-readable version (which is also used in semanage fcontext -l).
salt.modules.selinux.
getconfig
()¶Return the selinux mode from the config file
CLI Example:
salt '*' selinux.getconfig
salt.modules.selinux.
getenforce
()¶Return the mode selinux is running in
CLI Example:
salt '*' selinux.getenforce
salt.modules.selinux.
getsebool
(boolean)¶Return the information on a specific selinux boolean
CLI Example:
salt '*' selinux.getsebool virt_use_usb
salt.modules.selinux.
getsemod
(module)¶Return the information on a specific selinux module
CLI Example:
salt '*' selinux.getsemod mysql
New in version 2016.3.0.
salt.modules.selinux.
install_semod
(module_path)¶Install custom SELinux module from file
CLI Example:
salt '*' selinux.install_semod [salt://]path/to/module.pp
New in version 2016.11.6.
salt.modules.selinux.
list_sebool
()¶Return a structure listing all of the selinux booleans on the system and what state they are in
CLI Example:
salt '*' selinux.list_sebool
salt.modules.selinux.
list_semod
()¶Return a structure listing all of the selinux modules on the system and what state they are in
CLI Example:
salt '*' selinux.list_semod
New in version 2016.3.0.
salt.modules.selinux.
remove_semod
(module)¶Remove SELinux module
CLI Example:
salt '*' selinux.remove_semod module_name
New in version 2016.11.6.
salt.modules.selinux.
selinux_fs_path
(*args, **kwargs)¶Return the location of the SELinux VFS directory
CLI Example:
salt '*' selinux.selinux_fs_path
salt.modules.selinux.
setenforce
(mode)¶Set the SELinux enforcing mode
CLI Example:
salt '*' selinux.setenforce enforcing
salt.modules.selinux.
setsebool
(boolean, value, persist=False)¶Set the value for a boolean
CLI Example:
salt '*' selinux.setsebool virt_use_usb off
salt.modules.selinux.
setsebools
(pairs, persist=False)¶Set the value of multiple booleans
CLI Example:
salt '*' selinux.setsebools '{virt_use_usb: on, squid_use_tproxy: off}'
salt.modules.selinux.
setsemod
(module, state)¶Enable or disable an SELinux module.
CLI Example:
salt '*' selinux.setsemod nagios Enabled
New in version 2016.3.0.