Execute calls on selinux
Note
This module requires the semanage, setsebool, and semodule
commands to be available on the minion. On RHEL-based distributions,
ensure that the policycoreutils and policycoreutils-python
packages are installed. If not on a Fedora or RHEL-based distribution,
consult the selinux documentation for your distribution to ensure that the
proper packages are installed.
New in version 2019.2.0.
Adds the SELinux policy for a given filespec and other optional parameters.
Returns the result of the call to semanage.
Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.
filespec of the file or directory. Regex syntax is allowed.
The SELinux filetype specification. Use one of [a, f, d, c, b,
s, l, p]. See also man semanage-fcontext. Defaults to 'a'
(all files).
SELinux context type. There are many.
SELinux user. Use semanage login -l to determine which ones
are available to you.
The MLS range of the SELinux context.
CLI Example:
salt '*' selinux.fcontext_add_policy my-policy
New in version 2017.7.0.
Applies SElinux policies to filespec using restorecon [-R] filespec. Returns dict with changes if successful, the output of the restorecon command otherwise.
filespec of the file or directory. Regex syntax is allowed.
Recursively apply SELinux policies.
CLI Example:
salt '*' selinux.fcontext_apply_policy my-policy
New in version 2019.2.0.
Deletes the SELinux policy for a given filespec and other optional parameters.
Returns the result of the call to semanage.
Note that you don't have to remove an entry before setting a new one for a given filespec and filetype, as adding one with semanage automatically overwrites a previously configured SELinux context.
filespec of the file or directory. Regex syntax is allowed.
The SELinux filetype specification. Use one of [a, f, d, c, b,
s, l, p]. See also man semanage-fcontext. Defaults to 'a'
(all files).
SELinux context type. There are many.
SELinux user. Use semanage login -l to determine which ones
are available to you.
The MLS range of the SELinux context.
CLI Example:
salt '*' selinux.fcontext_delete_policy my-policy
New in version 2017.7.0.
Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found.
Returned keys are:
filespec (the name supplied and matched)
filetype (the descriptive name of the filetype supplied)
sel_user, sel_role, sel_type, sel_level (the selinux context)
For a more in-depth explanation of the selinux context, go to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-SELinux_Contexts.html
filespec of the file or directory. Regex syntax is allowed.
The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
CLI Example:
salt '*' selinux.fcontext_get_policy my-policy
New in version 2017.7.0.
Returns an empty string if the SELinux policy for a given filespec is applied, returns string with differences in policy and actual situation otherwise.
filespec of the file or directory. Regex syntax is allowed.
CLI Example:
salt '*' selinux.fcontext_policy_is_applied my-policy
New in version 2017.7.0.
Translates SELinux filetype single-letter representation to a more human-readable version (which is also used in semanage fcontext -l).
Return the selinux mode from the config file
CLI Example:
salt '*' selinux.getconfig
Return the mode selinux is running in
CLI Example:
salt '*' selinux.getenforce
Return the information on a specific selinux boolean
CLI Example:
salt '*' selinux.getsebool virt_use_usb
Return the information on a specific selinux module
CLI Example:
salt '*' selinux.getsemod mysql
New in version 2016.3.0.
Install custom SELinux module from file
CLI Example:
salt '*' selinux.install_semod [salt://]path/to/module.pp
New in version 2016.11.6.
Return a structure listing all of the selinux booleans on the system and what state they are in
CLI Example:
salt '*' selinux.list_sebool
Return a structure listing all of the selinux modules on the system and what state they are in
CLI Example:
salt '*' selinux.list_semod
New in version 2016.3.0.
New in version 2019.2.0.
Adds the SELinux policy for a given protocol and port.
Returns the result of the call to semanage.
The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
The SELinux Type. Required.
The protocol for the port, tcp or udp. Required if name is not formatted.
The port or port range. Required if name is not formatted.
The SELinux MLS/MCS Security Range.
CLI Example:
salt '*' selinux.port_add_policy add tcp/8080 http_port_t
salt '*' selinux.port_add_policy add foobar http_port_t protocol=tcp port=8091
New in version 2019.2.0.
Deletes the SELinux policy for a given protocol and port.
Returns the result of the call to semanage.
The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
The protocol for the port, tcp or udp. Required if name is not formatted.
The port or port range. Required if name is not formatted.
CLI Example:
salt '*' selinux.port_delete_policy tcp/8080
salt '*' selinux.port_delete_policy foobar protocol=tcp port=8091
New in version 2019.2.0.
Returns the current entry in the SELinux policy list as a dictionary. Returns None if no exact match was found.
Returned keys are:
sel_type (the selinux type)
proto (the protocol)
port (the port(s) and/or port range(s))
The protocol and port spec. Can be formatted as (tcp|udp)/(port|port-range).
The SELinux Type.
The protocol for the port, tcp or udp. Required if name is not formatted.
The port or port range. Required if name is not formatted.
CLI Example:
salt '*' selinux.port_get_policy tcp/80
salt '*' selinux.port_get_policy foobar protocol=tcp port=80
Remove SELinux module
CLI Example:
salt '*' selinux.remove_semod module_name
New in version 2016.11.6.
Return the location of the SELinux VFS directory
CLI Example:
salt '*' selinux.selinux_fs_path
Set the SELinux enforcing mode
CLI Example:
salt '*' selinux.setenforce enforcing
Set the value for a boolean
CLI Example:
salt '*' selinux.setsebool virt_use_usb off
Set the value of multiple booleans
CLI Example:
salt '*' selinux.setsebools '{virt_use_usb: on, squid_use_tproxy: off}'
Enable or disable an SELinux module.
CLI Example:
salt '*' selinux.setsemod nagios Enabled
New in version 2016.3.0.