Execute calls on selinux
Note
This module requires the semanage
, setsebool
, and semodule
commands to be available on the minion. On RHEL-based distributions,
ensure that the policycoreutils
and policycoreutils-python
packages are installed. If not on a Fedora or RHEL-based distribution,
consult the selinux documentation for your distribution to ensure that the
proper packages are installed.
New in version 2019.2.0.
Adds the SELinux policy for a given filespec and other optional parameters.
Returns the result of the call to semanage.
Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.
filespec of the file or directory. Regex syntax is allowed.
The SELinux filetype specification. Use one of [a, f, d, c, b,
s, l, p]. See also man semanage-fcontext
. Defaults to 'a'
(all files).
SELinux context type. There are many.
SELinux user. Use semanage login -l
to determine which ones
are available to you.
The MLS range of the SELinux context.
CLI Example:
salt '*' selinux.fcontext_add_policy my-policy
New in version 2017.7.0.
Applies SElinux policies to filespec using restorecon [-R] filespec. Returns dict with changes if successful, the output of the restorecon command otherwise.
filespec of the file or directory. Regex syntax is allowed.
Recursively apply SELinux policies.
CLI Example:
salt '*' selinux.fcontext_apply_policy my-policy
New in version 2019.2.0.
Deletes the SELinux policy for a given filespec and other optional parameters.
Returns the result of the call to semanage.
Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.
filespec of the file or directory. Regex syntax is allowed.
The SELinux filetype specification. Use one of [a, f, d, c, b,
s, l, p]. See also man semanage-fcontext
. Defaults to 'a'
(all files).
SELinux context type. There are many.
SELinux user. Use semanage login -l
to determine which ones
are available to you.
The MLS range of the SELinux context.
CLI Example:
salt '*' selinux.fcontext_delete_policy my-policy
New in version 2017.7.0.
Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found.
Returned keys are:
filespec (the name supplied and matched)
filetype (the descriptive name of the filetype supplied)
sel_user, sel_role, sel_type, sel_level (the selinux context)
For a more in-depth explanation of the selinux context, go to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-SELinux_Contexts.html
filespec of the file or directory. Regex syntax is allowed.
The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
CLI Example:
salt '*' selinux.fcontext_get_policy my-policy
New in version 2017.7.0.
Returns an empty string if the SELinux policy for a given filespec is applied, returns string with differences in policy and actual situation otherwise.
filespec of the file or directory. Regex syntax is allowed.
CLI Example:
salt '*' selinux.fcontext_policy_is_applied my-policy
New in version 2017.7.0.
Translates SELinux filetype single-letter representation to a more human-readable version (which is also used in semanage fcontext -l).
Return the selinux mode from the config file
CLI Example:
salt '*' selinux.getconfig
Return the mode selinux is running in
CLI Example:
salt '*' selinux.getenforce
Return the information on a specific selinux boolean
CLI Example:
salt '*' selinux.getsebool virt_use_usb
Return the information on a specific selinux module
CLI Example:
salt '*' selinux.getsemod mysql
New in version 2016.3.0.
Install custom SELinux module from file
CLI Example:
salt '*' selinux.install_semod [salt://]path/to/module.pp
New in version 2016.11.6.
Return a structure listing all of the selinux booleans on the system and what state they are in
CLI Example:
salt '*' selinux.list_sebool
Return a structure listing all of the selinux modules on the system and what state they are in
CLI Example:
salt '*' selinux.list_semod
New in version 2016.3.0.
New in version 2019.2.0.
Adds the SELinux policy for a given protocol and port.
Returns the result of the call to semanage.
The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range)
.
The SELinux Type. Required.
The protocol for the port, tcp
or udp
. Required if name is not formatted.
The port or port range. Required if name is not formatted.
The SELinux MLS/MCS Security Range.
CLI Example:
salt '*' selinux.port_add_policy add tcp/8080 http_port_t
salt '*' selinux.port_add_policy add foobar http_port_t protocol=tcp port=8091
New in version 2019.2.0.
Deletes the SELinux policy for a given protocol and port.
Returns the result of the call to semanage.
The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range)
.
The protocol for the port, tcp
or udp
. Required if name is not formatted.
The port or port range. Required if name is not formatted.
CLI Example:
salt '*' selinux.port_delete_policy tcp/8080
salt '*' selinux.port_delete_policy foobar protocol=tcp port=8091
New in version 2019.2.0.
Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found.
Returned keys are:
sel_type (the selinux type)
proto (the protocol)
port (the port(s) and/or port range(s))
The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range)
.
The SELinux Type.
The protocol for the port, tcp
or udp
. Required if name is not formatted.
The port or port range. Required if name is not formatted.
CLI Example:
salt '*' selinux.port_get_policy tcp/80
salt '*' selinux.port_get_policy foobar protocol=tcp port=80
Remove SELinux module
CLI Example:
salt '*' selinux.remove_semod module_name
New in version 2016.11.6.
Return the location of the SELinux VFS directory
CLI Example:
salt '*' selinux.selinux_fs_path
Set the SELinux enforcing mode
CLI Example:
salt '*' selinux.setenforce enforcing
Set the value for a boolean
CLI Example:
salt '*' selinux.setsebool virt_use_usb off
Set the value of multiple booleans
CLI Example:
salt '*' selinux.setsebools '{virt_use_usb: on, squid_use_tproxy: off}'
Enable or disable an SELinux module.
CLI Example:
salt '*' selinux.setsemod nagios Enabled
New in version 2016.3.0.