How to Disable or Enforcing Selinux through Ansible and Reboot Host

Do you want to disable or enable ( enforcing ) SELinux mode on host machines through ansible-playbook? Here I am writing a to change the mode of the SELinux type. SELinux is an important security feature of Linux. There is three value in SELinux, which is Enforcing, Permissive and Disabled. The main configuration file of SELinux security is /etc/selinux/config

  • Enforcing : This shows the security policy is enforced .
  • Permissive: This value shows the security policy only shows warning instead of enforced.
  • Disabled: It means the policy is not loaded in the kernel or disable in condition.

Selinux is a kernel-based security module, So when you will make a change from Disabled to Enforcing or Enforcing to Disabled, you should always reboot your machine because the system reads the configuration file at boot time.

  • The is tested on Centos 8 Linux Structure. All the identical machine with CentOs 8 machine.
  • Before execute this on production environement you should check on your testing env .
  • You should dry run or test run before execute through ansible-playbook -C PlaybookName.yml
  • Version of Ansible which i used is 2.9 .

First Discuss about tasks steps :

Task1:Disable or Enforcing Task

First, we write a snippet to disable to enable the policy. The module we can use is SELinux. This module can configure mode and policy.

Enable SELinux

Below task code will set your configuration file to enforcing mode and policy will set to targeted.

- name: Enforcing SELinux
  selinux:
    state: enforcing
    policy: targeted

Disabled SELinux

In disabling the policy argument not needed .So state will be disable .

- name: Disabling SELinux state
  selinux:
    state: disabled

Task 2: Reboot the managed host machine

Here I am ensuring in my the configuration files are changing and print the output in playbook at run time. After printing the output the machine will reboot.

Ansible for disabling SELinux with a reboot

Below is my for this task , before execute you should always test on your environment or dry run. Through this playbook , if system is already in desired state or disable then after executing this playbook the managed host machine will not rebooted . This playbook only reboot when changes occur in configuration file.

---
- name: Ansible  for disabling SELinux and Reboot .
  hosts: srv1.example.com
  handlers:
          - name: reboot server
            command: systemctl reboot
  tasks:
          - name: Disabling SELinux
            selinux:
                    state: disabled
            register: selinuxdisabled
          - name: Print the changes in Configurtion file 
            command: grep SELINUX /etc/sysconfig/selinux
            register: sevalue
          - debug:
                  var: sevalue.stdout_lines
          - name: Wait for 5 Second and Reboot 
            shell: "sleep 5 && reboot"
            async: 1
            poll: 0
            when: selinuxdisabled is changed

Ansible for Enforcing SELinux with a reboot

---
- name: Ansible Playbook for disabling SELinux and Reboot .
  hosts: srv1.example.com
  handlers:
          - name: reboot server
            command: systemctl reboot
  tasks:
          - name: Disabling SELinux
            selinux:
                    state: enforcing
                    policy: targeted
            register: selinuxdisabled
          - name: Print the changes in Configurtion file 
            command: grep SELINUX /etc/sysconfig/selinux
            register: sevalue
          - debug:
                  var: sevalue.stdout_lines
          - name: Wait for 5 Second and Reboot 
            shell: "sleep 5 && reboot"
            async: 1
            poll: 0
            when: selinuxdisabled is changed

About Sachin Gupta

I am a professional freelance contributor and founder of tech transit. Love to write and lover of education, culture, and community. I have been using it, setting, supporting, and maintaining it since 2009.Linux rocks!

Have any Question or Comment?

Leave a Reply

Your email address will not be published.