salt.modules.selinux

Execute calls on selinux

Note

This module requires the semanage, setsebool, and semodule commands to be available on the minion. On RHEL-based distributions, ensure that the policycoreutils and policycoreutils-python packages are installed. If not on a Fedora or RHEL-based distribution, consult the selinux documentation for your distribution to ensure that the proper packages are installed.

salt.modules.selinux.fcontext_add_or_delete_policy(action, name, filetype=None, sel_type=None, sel_user=None, sel_level=None)

New in version 2017.7.0.

Sets or deletes the SELinux policy for a given filespec and other optional parameters.

Returns the result of the call to semanage.

Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.

name
filespec of the file or directory. Regex syntax is allowed.
file_type
The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
sel_type
SELinux context type. There are many.
sel_user
SELinux user. Use semanage login -l to determine which ones are available to you.
sel_level
The MLS range of the SELinux context.

CLI Example:

salt '*' selinux.fcontext_add_or_delete_policy add my-policy
salt.modules.selinux.fcontext_apply_policy(name, recursive=False)

New in version 2017.7.0.

Applies SElinux policies to filespec using restorecon [-R] filespec. Returns dict with changes if succesful, the output of the restorecon command otherwise.

name
filespec of the file or directory. Regex syntax is allowed.
recursive
Recursively apply SELinux policies.

CLI Example:

salt '*' selinux.fcontext_apply_policy my-policy
salt.modules.selinux.fcontext_get_policy(name, filetype=None, sel_type=None, sel_user=None, sel_level=None)

New in version 2017.7.0.

Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found.

Returned keys are:

  • filespec (the name supplied and matched)
  • filetype (the descriptive name of the filetype supplied)
  • sel_user, sel_role, sel_type, sel_level (the selinux context)

For a more in-depth explanation of the selinux context, go to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-SELinux_Contexts.html

name
filespec of the file or directory. Regex syntax is allowed.
filetype
The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).

CLI Example:

salt '*' selinux.fcontext_get_policy my-policy
salt.modules.selinux.fcontext_policy_is_applied(name, recursive=False)

New in version 2017.7.0.

Returns an empty string if the SELinux policy for a given filespec is applied, returns string with differences in policy and actual situation otherwise.

name
filespec of the file or directory. Regex syntax is allowed.

CLI Example:

salt '*' selinux.fcontext_policy_is_applied my-policy
salt.modules.selinux.filetype_id_to_string(filetype='a')

New in version 2017.7.0.

Translates SELinux filetype single-letter representation to a more human-readable version (which is also used in semanage fcontext -l).

salt.modules.selinux.getconfig()

Return the selinux mode from the config file

CLI Example:

salt '*' selinux.getconfig
salt.modules.selinux.getenforce()

Return the mode selinux is running in

CLI Example:

salt '*' selinux.getenforce
salt.modules.selinux.getsebool(boolean)

Return the information on a specific selinux boolean

CLI Example:

salt '*' selinux.getsebool virt_use_usb
salt.modules.selinux.getsemod(module)

Return the information on a specific selinux module

CLI Example:

salt '*' selinux.getsemod mysql

New in version 2016.3.0.

salt.modules.selinux.install_semod(module_path)

Install custom SELinux module from file

CLI Example:

salt '*' selinux.install_semod [salt://]path/to/module.pp

New in version 2016.11.6.

salt.modules.selinux.list_sebool()

Return a structure listing all of the selinux booleans on the system and what state they are in

CLI Example:

salt '*' selinux.list_sebool
salt.modules.selinux.list_semod()

Return a structure listing all of the selinux modules on the system and what state they are in

CLI Example:

salt '*' selinux.list_semod

New in version 2016.3.0.

salt.modules.selinux.remove_semod(module)

Remove SELinux module

CLI Example:

salt '*' selinux.remove_semod module_name

New in version 2016.11.6.

salt.modules.selinux.selinux_fs_path(*args, **kwargs)

Return the location of the SELinux VFS directory

CLI Example:

salt '*' selinux.selinux_fs_path
salt.modules.selinux.setenforce(mode)

Set the SELinux enforcing mode

CLI Example:

salt '*' selinux.setenforce enforcing
salt.modules.selinux.setsebool(boolean, value, persist=False)

Set the value for a boolean

CLI Example:

salt '*' selinux.setsebool virt_use_usb off
salt.modules.selinux.setsebools(pairs, persist=False)

Set the value of multiple booleans

CLI Example:

salt '*' selinux.setsebools '{virt_use_usb: on, squid_use_tproxy: off}'
salt.modules.selinux.setsemod(module, state)

Enable or disable an SELinux module.

CLI Example:

salt '*' selinux.setsemod nagios Enabled

New in version 2016.3.0.