Do you want to disable or enable ( enforcing ) SELinux mode on host machines through ansible-playbook? Here I am writing a playbook to change the mode of the SELinux type. SELinux is an important security feature of Linux. There is three value in SELinux, which is Enforcing, Permissive and Disabled. The main configuration file of SELinux security is /etc/selinux/config
- Enforcing : This shows the security policy is enforced .
- Permissive: This value shows the security policy only shows warning instead of enforced.
- Disabled: It means the policy is not loaded in the kernel or disable in condition.
Selinux is a kernel-based security module, So when you will make a change from Disabled to Enforcing or Enforcing to Disabled, you should always reboot your machine because the system reads the configuration file at boot time.
- The playbook is tested on Centos 8 Linux Structure. All the identical machine with CentOs 8 machine.
- Before execute this on production environement you should check on your testing env .
- You should dry run or test run before execute through ansible-playbook -C PlaybookName.yml
- Version of Ansible which i used is 2.9 .
First Discuss about playbook tasks steps :
Task1:Disable or Enforcing Playbook Task
First, we write a playbook snippet to disable to enable the policy. The module we can use is SELinux. This module can configure mode and policy.
Enable SELinux
Below task code will set your configuration file to enforcing mode and policy will set to targeted.
- name: Enforcing SELinux
selinux:
state: enforcing
policy: targetedDisabled SELinux
In disabling the policy argument not needed .So state will be disable .
- name: Disabling SELinux state
selinux:
state: disabledTask 2: Reboot the managed host machine
Here I am ensuring in my playbook the configuration files are changing and print the output in playbook at run time. After printing the output the machine will reboot.
Ansible Playbook for disabling SELinux with a reboot
Below is my playbook for this task , before execute you should always test on your environment or dry run. Through this playbook , if system is already in desired state or disable then after executing this playbook the managed host machine will not rebooted . This playbook only reboot when changes occur in configuration file.
---
- name: Ansible Playbook for disabling SELinux and Reboot .
hosts: srv1.example.com
handlers:
- name: reboot server
command: systemctl reboot
tasks:
- name: Disabling SELinux
selinux:
state: disabled
register: selinuxdisabled
- name: Print the changes in Configurtion file
command: grep SELINUX /etc/sysconfig/selinux
register: sevalue
- debug:
var: sevalue.stdout_lines
- name: Wait for 5 Second and Reboot
shell: "sleep 5 && reboot"
async: 1
poll: 0
when: selinuxdisabled is changed
Ansible Playbook for Enforcing SELinux with a reboot
---
- name: Ansible Playbook for enabling SELinux and Reboot .
hosts: srv1.example.com
handlers:
- name: reboot server
command: systemctl reboot
tasks:
- name: Enabling SELinux
selinux:
state: enforcing
policy: targeted
register: selinuxdisabled
- name: Print the changes in Configurtion file
command: grep SELINUX /etc/sysconfig/selinux
register: sevalue
- debug:
var: sevalue.stdout_lines
- name: Wait for 5 Second and Reboot
shell: "sleep 5 && reboot"
async: 1
poll: 0
when: selinuxdisabled is changed