salt.states.selinux

Management of SELinux rules

If SELinux is available for the running system, the mode can be managed and booleans can be set.

enforcing:
    selinux.mode

samba_create_home_dirs:
    selinux.boolean:
      - value: True
      - persist: True

nginx:
    selinux.module:
      - enabled: False

Note

Use of these states require that the selinux execution module is available.

salt.states.selinux.boolean(name, value, persist=False)

Set up an SELinux boolean

name
The name of the boolean to set
value
The value to set on the boolean
persist
Defaults to False, set persist to true to make the boolean apply on a reboot
salt.states.selinux.fcontext_policy_absent(name, filetype='a', sel_type=None, sel_user=None, sel_level=None)

New in version 2017.7.0.

Makes sure an SELinux file context policy for a given filespec (name), filetype and SELinux context type is absent.

name
filespec of the file or directory. Regex syntax is allowed.
filetype
The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
sel_type
The SELinux context type. There are many.
sel_user
The SELinux user.
sel_level
The SELinux MLS range.
salt.states.selinux.fcontext_policy_applied(name, recursive=False)

New in version 2017.7.0.

Checks and makes sure the SELinux policies for a given filespec are applied.

salt.states.selinux.fcontext_policy_present(name, sel_type, filetype='a', sel_user=None, sel_level=None)

New in version 2017.7.0.

Makes sure a SELinux policy for a given filespec (name), filetype and SELinux context type is present.

name
filespec of the file or directory. Regex syntax is allowed.
sel_type
SELinux context type. There are many.
filetype
The SELinux filetype specification. Use one of [a, f, d, c, b, s, l, p]. See also man semanage-fcontext. Defaults to 'a' (all files).
sel_user
The SELinux user.
sel_level
The SELinux MLS range.
salt.states.selinux.mode(name)

Verifies the mode SELinux is running in, can be set to enforcing, permissive, or disabled

Note

A change to or from disabled mode requires a system reboot. You will need to perform this yourself.

name
The mode to run SELinux in, permissive, enforcing, or disabled.
salt.states.selinux.module(name, module_state='Enabled', version='any', **opts)

Enable/Disable and optionally force a specific version for an SELinux module

name
The name of the module to control
module_state
Should the module be enabled or disabled?
version
Defaults to no preference, set to a specified value if required. Currently can only alert if the version is incorrect.
install
Setting to True installs module
source
Points to module source file, used only when install is True
remove
Setting to True removes module

New in version 2016.3.0.

salt.states.selinux.module_install(name)

Installs custom SELinux module from given file

name
Path to file with module to install

New in version 2016.11.6.

salt.states.selinux.module_remove(name)

Removes SELinux module

name
The name of the module to remove

New in version 2016.11.6.

Generated on February 25, 2019 at 06:53:47 MST.

You are viewing docs for the previous stable release, 2017.7.8. Switch to docs for the latest stable release, 2018.3.3, or to a recent doc build from the develop branch.


saltstack.com

© 2019 SaltStack. All Rights Reserved, SaltStack Inc. | Privacy Policy