salt.states.selinux#

Management of SELinux rules#

If SELinux is available for the running system, the mode can be managed and booleans can be set.

enforcing:
    selinux.mode

samba_create_home_dirs:
    selinux.boolean:
      - value: True
      - persist: True

nginx:
    selinux.module:
      - enabled: False

Note

Use of these states require that the selinux execution module is available.

salt.states.selinux.boolean(name: str, value: Literal[True, 'true', 'on', '1', 1, False, 'false', 'off', '0', 0] | None = None, booleans: Iterable[str | dict[str, Literal[True, 'true', 'on', '1', 1, False, 'false', 'off', '0', 0]]] | dict[str, Literal[True, 'true', 'on', '1', 1, False, 'false', 'off', '0', 0]] | None = None, persist=False)#

Set up an SELinux boolean

name

The name of the boolean to set. Note that this parameter is ignored if either "booleans" is passed.

value

The value to set on the boolean You can install a different value for each boolean with the booleans argument by including the version after the boolean name:

"my selinux booleans":
  selinux.boolean:
    - value: true
    - booleans:
      - foo
      - bar
      - baz: false

booleans

A list of boolean to set. All booleans listed under booleans will be installed via a single command.

mybooleans:
  selinux.boolean:
    - value: true
    - booleans:
      - foo
      - bar
      - baz

value can be specified in the booleans argument. For example:

mybooleans:
  selinux.boolean:
    - value: true
    - booleans:
      - foo
      - bar: false
      - baz

mybooleans:
  selinux.boolean:
    - booleans:
        foo: true
        bar: true
        baz: false

persist

Defaults to False, set persist to true to make the boolean apply on a reboot

salt.states.selinux.fcontext_policy_absent(name, filetype='a', sel_type=None, sel_user=None, sel_level=None)#

New in version 2017.7.0.

Makes sure an SELinux file context policy for a given filespec (name), filetype and SELinux context type is absent.

name: filespec of the file or directory. Regex syntax is allowed.
filetype: The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
sel_type: The SELinux context type. There are many.
sel_user: The SELinux user.
sel_level: The SELinux MLS range.

salt.states.selinux.fcontext_policy_applied(name, recursive=False)#: New in version 2017.7.0.

Checks and makes sure the SELinux policies for a given filespec are applied.

salt.states.selinux.fcontext_policy_present(name, sel_type, filetype='a', sel_user=None, sel_level=None)#

New in version 2017.7.0.

Makes sure a SELinux policy for a given filespec (name), filetype and SELinux context type is present.

name: filespec of the file or directory. Regex syntax is allowed.
sel_type: SELinux context type. There are many.
filetype: The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
sel_user: The SELinux user.
sel_level: The SELinux MLS range.

salt.states.selinux.mod_aggregate(low: dict[str, Any], chunks: Iterable[dict[str, Any]], running: dict)#: The mod_aggregate function which looks up all selinux boolean in the available low chunks and merges them into a single boolean ref in the present low data

salt.states.selinux.mode(name)#

Verifies the mode SELinux is running in, can be set to enforcing, permissive, or disabled

Note

A change to or from disabled mode requires a system reboot. You will need to perform this yourself.

name: The mode to run SELinux in, permissive, enforcing, or disabled.

salt.states.selinux.module(name, module_state='Enabled', version='any', **opts)#

Enable/Disable and optionally force a specific version for an SELinux module

name: The name of the module to control
module_state: Should the module be enabled or disabled?
version: Defaults to no preference, set to a specified value if required. Currently can only alert if the version is incorrect.
install: Setting to True installs module
source: Points to module source file, used only when install is True
remove: Setting to True removes module

New in version 2016.3.0.

salt.states.selinux.module_install(name)#

Installs custom SELinux module from given file

name: Path to file with module to install

New in version 2016.11.6.

salt.states.selinux.module_remove(name)#

Removes SELinux module

name: The name of the module to remove

New in version 2016.11.6.

salt.states.selinux.port_policy_absent(name, sel_type=None, protocol=None, port=None)#

New in version 2019.2.0.

Makes sure an SELinux port policy for a given port, protocol and SELinux context type is absent.

name: The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
sel_type: The SELinux Type. Optional; can be used in determining if policy is present, ignored by semanage port --delete.
protocol: The protocol for the port, tcp or udp. Required if name is not formatted.
port: The port or port range. Required if name is not formatted.

salt.states.selinux.port_policy_present(name, sel_type, protocol=None, port=None, sel_range=None)#

New in version 2019.2.0.

Makes sure an SELinux port policy for a given port, protocol and SELinux context type is present.

name: The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
sel_type: The SELinux Type.
protocol: The protocol for the port, tcp or udp. Required if name is not formatted.
port: The port or port range. Required if name is not formatted.
sel_range: The SELinux MLS/MCS Security Range.

Table of Contents

salt.states.selinux#

Management of SELinux rules#