sefcontext – Manages SELinux file context mapping definitions

From Get docs
Ansible/docs/2.8/modules/sefcontext module


sefcontext – Manages SELinux file context mapping definitions

New in version 2.2.


Synopsis

  • Manages SELinux file context mapping definitions.
  • Similar to the semanage fcontext command.

Requirements

The below requirements are needed on the host that executes this module.

  • libselinux-python
  • policycoreutils-python

Parameters

Parameter Choices/Defaults Comments

ftype

string

  • a

  • b
  • c
  • d
  • f
  • l
  • p
  • s

The file type that should have SELinux contexts applied.

The following file type options are available:

a for all files,

b for block devices,

c for character devices,

d for directories,

f for regular files,

l for symbolic links,

p for named pipes,

s for socket files.

ignore_selinux_state

boolean

added in 2.8

  • no

  • yes

Useful for scenarios (chrooted environment) that you can't get the real SELinux state.

reload

boolean

  • no
  • yes

Reload SELinux policy after commit.

Note that this does not apply SELinux file contexts to existing files.

selevel

string

SELinux range for the specified target.


aliases: serange

setype

string / required

SELinux type for the specified target.

seuser

string

SELinux user for the specified target.

state

string

  • absent
  • present

Whether the SELinux file context must be absent or present.

target

string / required

Target path (expression).


aliases: path



Notes

Note

  • The changes are persistent across reboots.
  • The sefcontext module does not modify existing files to the new SELinux context(s), so it is advisable to first create the SELinux file contexts before creating files, or run restorecon manually for the existing files that require the new SELinux file contexts.
  • Not applying SELinux fcontexts to existing files is a deliberate decision as it would be unclear what reported changes would entail to, and there’s no guarantee that applying SELinux fcontext does not pick up other unrelated prior changes.


Examples

- name: Allow apache to modify files in /srv/git_repos
  sefcontext:
    target: '/srv/git_repos(/.*)?'
    setype: httpd_git_rw_content_t
    state: present

- name: Apply new SELinux file context to filesystem
  command: restorecon -irv /srv/git_repos

Status

Authors

  • Dag Wieers (@dagwieers)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/sefcontext_module.html