How to Disable or Enforcing Selinux through Ansible and Reboot Host

Do you want to disable or enable ( enforcing ) SELinux mode on host machines through -playbook? Here I am writing a playbook to change the mode of the SELinux type. SELinux is an important security feature of Linux. There is three value in SELinux, which is Enforcing, Permissive and Disabled. The main configuration file of SELinux security is /etc/selinux/config

  • Enforcing : This shows the security policy is enforced .
  • Permissive: This value shows the security policy only shows warning instead of enforced.
  • Disabled: It means the policy is not loaded in the kernel or disable in condition.

Selinux is a kernel-based security module, So when you will make a change from Disabled to Enforcing or Enforcing to Disabled, you should always your machine because the system reads the configuration file at boot time.

  • The playbook is tested on 8 Linux Structure. All the identical machine with CentOs 8 machine.
  • Before execute this on production environement you should check on your testing env .
  • You should dry run or test run before execute through -playbook -C PlaybookName.yml
  • Version of which i used is 2.9 .

First Discuss about playbook tasks steps :

Task1:Disable or Enforcing Playbook Task

First, we write a playbook snippet to disable to enable the policy. The module we can use is SELinux. This module can configure mode and policy.

Enable SELinux

Below task code will set your configuration file to enforcing mode and policy will set to targeted.

- name: Enforcing SELinux
  selinux:
    state: enforcing
    policy: targeted

Disabled SELinux

In disabling the policy argument not needed .So state will be disable .

- name: Disabling SELinux state
  selinux:
    state: disabled

Task 2: the managed host machine

Here I am ensuring in my playbook the configuration files are changing and print the output in playbook at run time. After printing the output the machine will reboot.

Ansible Playbook for disabling SELinux with a reboot

Below is my playbook for this task , before execute you should always test on your environment or dry run. Through this playbook , if system is already in desired state or disable then after executing this playbook the managed host machine will not rebooted . This playbook only when changes occur in configuration file.

---
- name: Ansible Playbook for disabling SELinux and Reboot .
  hosts: srv1.example.com
  handlers:
          - name:  server
            command: systemctl reboot
  tasks:
          - name: Disabling SELinux
            selinux:
                    state: disabled
            register: selinuxdisabled
          - name: Print the changes in Configurtion file 
            command: grep SELINUX /etc/sysconfig/selinux
            register: sevalue
          - debug:
                  var: sevalue.stdout_lines
          - name: Wait for 5 Second and Reboot 
            shell: "sleep 5 && reboot"
            async: 1
            poll: 0
            when: selinuxdisabled is changed

Ansible Playbook for Enforcing SELinux with a

---
- name: Ansible Playbook for disabling SELinux and Reboot .
  hosts: srv1.example.com
  handlers:
          - name:  server
            command: systemctl reboot
  tasks:
          - name: Disabling SELinux
            selinux:
                    state: enforcing
                    policy: targeted
            register: selinuxdisabled
          - name: Print the changes in Configurtion file 
            command: grep SELINUX /etc/sysconfig/selinux
            register: sevalue
          - debug:
                  var: sevalue.stdout_lines
          - name: Wait for 5 Second and Reboot 
            shell: "sleep 5 && reboot"
            async: 1
            poll: 0
            when: selinuxdisabled is changed

About Sachin Gupta

I am a professional freelance contributor and founder of tech transit. Love to write and lover of education, culture, and community. I have been using it, setting, supporting, and maintaining it since 2009.Linux rocks!

Have any Question or Comment?

Leave a Reply

Your email address will not be published.