salt.modules.selinux

Execute calls on selinux

Note

This module requires the semanage, setsebool, and semodule commands to be available on the minion. On RHEL-based distributions, ensure that the policycoreutils and policycoreutils-python packages are installed. If not on a Fedora or RHEL-based distribution, consult the selinux documentation for your distribution to ensure that the proper packages are installed.

salt.modules.selinux.fcontext_add_or_delete_policy(action, name, filetype=None, sel_type=None, sel_user=None, sel_level=None)

Sets or deletes the SELinux policy for a given filespec and other optional parameters. Returns the result of the call to semanage. Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.

name: filespec of the file or directory. Regex syntax is allowed. file_type: The SELinux filetype specification.

Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files)

sel_type: SELinux context type. There are many. sel_user: SELinux user. Use semanage login -l to determine which ones are available to you sel_level: The MLS range of the SELinux context.

CLI Example:

salt '*' selinux.fcontext_add_or_delete_policy add my-policy
salt.modules.selinux.fcontext_apply_policy(name, recursive=False)

Applies SElinux policies to filespec using restorecon [-R] filespec. Returns dict with changes if succesful, the output of the restorecon command otherwise.

name: filespec of the file or directory. Regex syntax is allowed. recursive: Recursively apply SELinux policies.

CLI Example:

salt '*' selinux.fcontext_apply_policy my-policy
salt.modules.selinux.fcontext_get_policy(name, filetype=None, sel_type=None, sel_user=None, sel_level=None)

Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found Returned keys are: - filespec (the name supplied and matched) - filetype (the descriptive name of the filetype supplied) - sel_user, sel_role, sel_type, sel_level (the selinux context) For a more in-depth explanation of the selinux context, go to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-SELinux_Contexts.html

name: filespec of the file or directory. Regex syntax is allowed. filetype: The SELinux filetype specification.

Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files)

CLI Example:

salt '*' selinux.fcontext_get_policy my-policy
salt.modules.selinux.fcontext_policy_is_applied(name, recursive=False)

Returns an empty string if the SELinux policy for a given filespec is applied, returns string with differences in policy and actual situation otherwise.

name: filespec of the file or directory. Regex syntax is allowed.

CLI Example:

salt '*' selinux.fcontext_policy_is_applied my-policy
salt.modules.selinux.getconfig()

Return the selinux mode from the config file

CLI Example:

salt '*' selinux.getconfig
salt.modules.selinux.getenforce()

Return the mode selinux is running in

CLI Example:

salt '*' selinux.getenforce
salt.modules.selinux.getsebool(boolean)

Return the information on a specific selinux boolean

CLI Example:

salt '*' selinux.getsebool virt_use_usb
salt.modules.selinux.getsemod(module)

Return the information on a specific selinux module

CLI Example:

salt '*' selinux.getsemod mysql

New in version 2016.3.0.

salt.modules.selinux.install_semod(module_path)

Install custom SELinux module from file

CLI Example:

salt '*' selinux.install_semod [salt://]path/to/module.pp

New in version 2016.11.6.

salt.modules.selinux.list_sebool()

Return a structure listing all of the selinux booleans on the system and what state they are in

CLI Example:

salt '*' selinux.list_sebool
salt.modules.selinux.list_semod()

Return a structure listing all of the selinux modules on the system and what state they are in

CLI Example:

salt '*' selinux.list_semod

New in version 2016.3.0.

salt.modules.selinux.remove_semod(module)

Remove SELinux module

CLI Example:

salt '*' selinux.remove_semod module_name

New in version 2016.11.6.

salt.modules.selinux.selinux_fs_path(*args, **kwargs)

Return the location of the SELinux VFS directory

CLI Example:

salt '*' selinux.selinux_fs_path
salt.modules.selinux.setenforce(mode)

Set the SELinux enforcing mode

CLI Example:

salt '*' selinux.setenforce enforcing
salt.modules.selinux.setsebool(boolean, value, persist=False)

Set the value for a boolean

CLI Example:

salt '*' selinux.setsebool virt_use_usb off
salt.modules.selinux.setsebools(pairs, persist=False)

Set the value of multiple booleans

CLI Example:

salt '*' selinux.setsebools '{virt_use_usb: on, squid_use_tproxy: off}'
salt.modules.selinux.setsemod(module, state)

Enable or disable an SELinux module.

CLI Example:

salt '*' selinux.setsemod nagios Enabled

New in version 2016.3.0.