salt.modules.selinux#

Execute calls on selinux

Note

This module requires the semanage, setsebool, and semodule commands to be available on the minion. On RHEL-based distributions, ensure that the policycoreutils and policycoreutils-python packages are installed. If not on a Fedora or RHEL-based distribution, consult the selinux documentation for your distribution to ensure that the proper packages are installed.

class salt.modules.selinux.EmptyDict#

class salt.modules.selinux.SeBoolDict#

Default: str#

Description: str#

State: str#

class salt.modules.selinux.SeFileType(value)#

An enumeration.

ALL = 'a'#

BLOCK_DEV = 'b'#

CHAR_DEV = 'c'#

DIRECTORY = 'd'#

NAMED_PIPE = 'p'#

REGULAR = 'f'#

SOCKET = 's'#

SYMLINK = 'l'#

property description: str#

classmethod from_code(code: str) → SeFileType#: Validate a raw string and return the matching FileType. Raises SaltInvocationError on invalid codes.

class salt.modules.selinux.SeModDict#

Enabled: bool#

Version: str | None#

salt.modules.selinux.fcontext_add_policy(name, filetype=None, sel_type=None, sel_user=None, sel_level=None)#

New in version 2019.2.0.

Adds the SELinux policy for a given filespec and other optional parameters.

Returns the result of the call to semanage.

Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.

name: filespec of the file or directory. Regex syntax is allowed.
file_type: The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
sel_type: SELinux context type. There are many.
sel_user: SELinux user. Use semanage login -l to determine which ones are available to you.
sel_level: The MLS range of the SELinux context.

CLI Example:

salt '*' selinux.fcontext_add_policy my-policy

salt.modules.selinux.fcontext_apply_policy(name, recursive=False)#

New in version 2017.7.0.

Applies SElinux policies to filespec using restorecon [-R] filespec. Returns dict with changes if successful, the output of the restorecon command otherwise.

name: filespec of the file or directory. Regex syntax is allowed.
recursive: Recursively apply SELinux policies.

CLI Example:

salt '*' selinux.fcontext_apply_policy my-policy

salt.modules.selinux.fcontext_delete_policy(name, filetype=None, sel_type=None, sel_user=None, sel_level=None)#

New in version 2019.2.0.

Deletes the SELinux policy for a given filespec and other optional parameters.

Returns the result of the call to semanage.

Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.

name: filespec of the file or directory. Regex syntax is allowed.
file_type: The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
sel_type: SELinux context type. There are many.
sel_user: SELinux user. Use semanage login -l to determine which ones are available to you.
sel_level: The MLS range of the SELinux context.

CLI Example:

salt '*' selinux.fcontext_delete_policy my-policy

salt.modules.selinux.fcontext_get_policy(name, filetype=None, sel_type=None, sel_user=None, sel_level=None)#

New in version 2017.7.0.

Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found.

Returned keys are:

filespec (the name supplied and matched)
filetype (the descriptive name of the filetype supplied)
sel_user, sel_role, sel_type, sel_level (the selinux context)

For a more in-depth explanation of the selinux context, go to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-SELinux_Contexts.html

name: filespec of the file or directory. Regex syntax is allowed.
filetype: The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).

CLI Example:

salt '*' selinux.fcontext_get_policy my-policy

salt.modules.selinux.fcontext_policy_is_applied(name, recursive=False)#

New in version 2017.7.0.

Returns an empty string if the SELinux policy for a given filespec is applied, returns string with differences in policy and actual situation otherwise.

name: filespec of the file or directory. Regex syntax is allowed.

CLI Example:

salt '*' selinux.fcontext_policy_is_applied my-policy

salt.modules.selinux.filetype_id_to_string(filetype='a')#: New in version 2017.7.0.

Translates SELinux filetype single-letter representation to a more human-readable version (which is also used in semanage fcontext -l).

salt.modules.selinux.getconfig() → str | None#

Return the selinux mode from the config file

CLI Example:

salt '*' selinux.getconfig

salt.modules.selinux.getenforce()#

Return the mode selinux is running in

CLI Example:

salt '*' selinux.getenforce

salt.modules.selinux.getsebool(boolean: str) → SeBoolDict | EmptyDict#

Return the information on a specific selinux boolean

CLI Example:

salt '*' selinux.getsebool virt_use_usb

salt.modules.selinux.getsemod(module) → SeModDict | EmptyDict#

Return the information on a specific selinux module

CLI Example:

salt '*' selinux.getsemod mysql

New in version 2016.3.0.

salt.modules.selinux.install_semod(module_path: str)#

Install custom SELinux module from file

CLI Example:

salt '*' selinux.install_semod [salt://]path/to/module.pp

New in version 2016.11.6.

salt.modules.selinux.list_sebool() → dict[str, salt.modules.selinux.SeBoolDict]#

Return a structure listing all of the selinux booleans on the system and what state they are in

CLI Example:

salt '*' selinux.list_sebool

salt.modules.selinux.list_semod() → dict[str, salt.modules.selinux.SeModDict]#

Return a structure listing all of the selinux modules on the system and what state they are in

CLI Example:

salt '*' selinux.list_semod

New in version 2016.3.0.

salt.modules.selinux.port_add_policy(name, sel_type=None, protocol=None, port=None, sel_range=None)#

New in version 2019.2.0.

Adds the SELinux policy for a given protocol and port.

Returns the result of the call to semanage.

name: The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
sel_type: The SELinux Type. Required.
protocol: The protocol for the port, tcp or udp. Required if name is not formatted.
port: The port or port range. Required if name is not formatted.
sel_range: The SELinux MLS/MCS Security Range.

CLI Example:

salt '*' selinux.port_add_policy tcp/8080 http_port_t
salt '*' selinux.port_add_policy foobar http_port_t protocol=tcp port=8091

salt.modules.selinux.port_delete_policy(name, protocol=None, port=None)#

New in version 2019.2.0.

Deletes the SELinux policy for a given protocol and port.

Returns the result of the call to semanage.

name: The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
protocol: The protocol for the port, tcp or udp. Required if name is not formatted.
port: The port or port range. Required if name is not formatted.

CLI Example:

salt '*' selinux.port_delete_policy tcp/8080
salt '*' selinux.port_delete_policy foobar protocol=tcp port=8091

salt.modules.selinux.port_get_policy(name, sel_type=None, protocol=None, port=None)#

New in version 2019.2.0.

Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found.

Returned keys are:

sel_type (the selinux type)
proto (the protocol)
port (the port(s) and/or port range(s))

name: The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
sel_type: The SELinux Type.
protocol: The protocol for the port, tcp or udp. Required if name is not formatted.
port: The port or port range. Required if name is not formatted.

CLI Example:

salt '*' selinux.port_get_policy tcp/80
salt '*' selinux.port_get_policy foobar protocol=tcp port=80

salt.modules.selinux.port_modify_policy(name, sel_type=None, protocol=None, port=None, sel_range=None)#

New in version 2019.2.0.

Modifies the SELinux policy for a given protocol and port.

Returns the result of the call to semanage.

name: The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
sel_type: The SELinux Type. Required.
protocol: The protocol for the port, tcp or udp. Required if name is not formatted.
port: The port or port range. Required if name is not formatted.
sel_range: The SELinux MLS/MCS Security Range.

CLI Example:

salt '*' selinux.port_modify_policy tcp/8080 http_port_t
salt '*' selinux.port_modify_policy foobar http_port_t protocol=tcp port=8091

salt.modules.selinux.remove_semod(module)#

Remove SELinux module

CLI Example:

salt '*' selinux.remove_semod module_name

New in version 2016.11.6.

salt.modules.selinux.selinux_fs_path()#

Return the location of the SELinux VFS directory

CLI Example:

salt '*' selinux.selinux_fs_path

salt.modules.selinux.setenforce(mode: Literal['enforcing', 'Enforcing', 'Permissive', 'permissive', 'Disabled', 'disabled'])#

Set the SELinux enforcing mode

CLI Example:

salt '*' selinux.setenforce enforcing

salt.modules.selinux.setsebool(boolean: Any, value: Literal[True, 'true', 'on', '1', 1, False, 'false', 'off', '0', 0], persist=False)#

Set the value for a boolean

CLI Example:

salt '*' selinux.setsebool virt_use_usb off

salt.modules.selinux.setsebools(pairs: dict[Any, Literal[True, 'true', 'on', '1', 1, False, 'false', 'off', '0', 0]], persist=False)#

Set the value of multiple booleans

CLI Example:

salt '*' selinux.setsebools '{virt_use_usb: on, squid_use_tproxy: off}'

salt.modules.selinux.setsemod(module: Any, state: Literal['enabled', 'Enabled', 'disabled', 'Disabled'])#

Enable or disable an SELinux module.

CLI Example:

salt '*' selinux.setsemod nagios Enabled

New in version 2016.3.0.

Table of Contents

salt.modules.selinux#