salt.states.selinux

Management of SELinux rules

If SELinux is available for the running system, the mode can be managed and booleans can be set.

enforcing:
    selinux.mode

samba_create_home_dirs:
    selinux.boolean:
      - value: True
      - persist: True

nginx:
    selinux.module:
      - enabled: False

Note

Use of these states require that the selinux execution module is available.

salt.states.selinux.boolean(name, value, persist=False)

Set up an SELinux boolean

name

The name of the boolean to set

value

The value to set on the boolean

persist

Defaults to False, set persist to true to make the boolean apply on a reboot

salt.states.selinux.fcontext_policy_absent(name, filetype='a', sel_type=None, sel_user=None, sel_level=None)

New in version 2017.7.0.

Makes sure an SELinux file context policy for a given filespec (name), filetype and SELinux context type is absent.

name

filespec of the file or directory. Regex syntax is allowed.

filetype

The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).

sel_type

The SELinux context type. There are many.

sel_user

The SELinux user.

sel_level

The SELinux MLS range.

salt.states.selinux.fcontext_policy_applied(name, recursive=False)

New in version 2017.7.0.

Checks and makes sure the SELinux policies for a given filespec are applied.

salt.states.selinux.fcontext_policy_present(name, sel_type, filetype='a', sel_user=None, sel_level=None)

New in version 2017.7.0.

Makes sure a SELinux policy for a given filespec (name), filetype and SELinux context type is present.

name

filespec of the file or directory. Regex syntax is allowed.

sel_type

SELinux context type. There are many.

filetype

The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).

sel_user

The SELinux user.

sel_level

The SELinux MLS range.

salt.states.selinux.mode(name)

Verifies the mode SELinux is running in, can be set to enforcing, permissive, or disabled

Note

A change to or from disabled mode requires a system reboot. You will need to perform this yourself.

name

The mode to run SELinux in, permissive, enforcing, or disabled.

salt.states.selinux.module(name, module_state='Enabled', version='any', **opts)

Enable/Disable and optionally force a specific version for an SELinux module

name

The name of the module to control

module_state

Should the module be enabled or disabled?

version

Defaults to no preference, set to a specified value if required. Currently can only alert if the version is incorrect.

install

Setting to True installs module

source

Points to module source file, used only when install is True

remove

Setting to True removes module

New in version 2016.3.0.

salt.states.selinux.module_install(name)

Installs custom SELinux module from given file

name

Path to file with module to install

New in version 2016.11.6.

salt.states.selinux.module_remove(name)

Removes SELinux module

name

The name of the module to remove

New in version 2016.11.6.

salt.states.selinux.port_policy_absent(name, sel_type=None, protocol=None, port=None)

New in version 2019.2.0.

Makes sure an SELinux port policy for a given port, protocol and SELinux context type is absent.

name

The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).

sel_type

The SELinux Type. Optional; can be used in determining if policy is present, ignored by semanage port --delete.

protocol

The protocol for the port, tcp or udp. Required if name is not formatted.

port

The port or port range. Required if name is not formatted.

salt.states.selinux.port_policy_present(name, sel_type, protocol=None, port=None, sel_range=None)

New in version 2019.2.0.

Makes sure an SELinux port policy for a given port, protocol and SELinux context type is present.

name

The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).

sel_type

The SELinux Type.

protocol

The protocol for the port, tcp or udp. Required if name is not formatted.

port

The port or port range. Required if name is not formatted.

sel_range

The SELinux MLS/MCS Security Range.