Mastering SELinux Configuration and Orchestration via Ansible Become

Published by TechMarmot Editorail Staff on | Category Ansible

The intersection of Security-Enhanced Linux (SELinux) and Ansible's privilege escalation mechanism, known as become, represents one of the most complex friction points in modern Linux systems administration. SELinux operates as a kernel-level security module that implements Mandatory Access Control (MAC), restricting the capabilities of processes based on a rigorous security context. Ansible, conversely, relies on the become directive to switch user identities—typically transitioning from a deployment user to the root user via sudo—to execute administrative tasks. When these two systems collide, the result is often a series of "Permission Denied" errors that baffle administrators because the standard Linux permissions (read, write, execute) appear correct, but the SELinux security context is invalid.

The fundamental conflict arises because SELinux tracks the security context of every single process, file, and network port. When Ansible invokes become: true, it triggers a transition in the security context. If this transition does not result in a valid, policy-compliant context, the kernel blocks the operation. This behavior frequently creates a discrepancy where a manual SSH session followed by a manual sudo command succeeds, while the identical Ansible playbook fails. This occurs because the automated nature of Ansible's connection and execution flow can differ from an interactive shell in how it handles session contexts and transitions. To resolve these conflicts, an administrator must move beyond simple permission management and begin orchestrating the security contexts themselves using specialized Ansible modules and system roles.

The Mechanics of the Become Conflict and SELinux

The become mechanism in Ansible is designed to facilitate privilege escalation. In most environments, this is achieved through sudo. However, in an SELinux-enforcing environment, the transition from a non-privileged user to root is not merely a change in User ID (UID) and Group ID (GID), but a transition of the security label.

The primary symptom of a conflict between become and SELinux is the appearance of vague error messages. Users often encounter "Permission Denied" alerts that do not correspond to any obvious file system permission issue. The technical reality is that the operation is being blocked by the SELinux policy engine. Because these denials are handled at the kernel level, they do not appear in standard application logs but are instead recorded in the SELinux audit logs.

To diagnose these issues, administrators must first verify the current state of the system. The following playbook demonstrates how to programmatically determine if SELinux is enforcing, permissive, or disabled across a fleet of hosts.

```yaml

check-selinux.yml - Verify SELinux mode on target hosts

  • name: Check SELinux status
    hosts: all
    become: true
    tasks:

    • name: Get SELinux status
      ansible.builtin.command: getenforce
      register: selinuxstatus
      changed      when: false

    • name: Display SELinux mode
      ansible.builtin.debug:
      msg: "SELinux is {{ selinuxstatus.stdout }} on {{ inventoryhostname }}"

    • name: Get detailed SELinux status
      ansible.builtin.command: sestatus
      register: sestatusoutput
      changed      when: false

    • name: Show full SELinux details
      ansible.builtin.debug:
      msg: "{{ sestatusoutput.stdoutlines }}"
      ```

The use of getenforce provides a quick check of the current mode, while sestatus provides a comprehensive view of the policy type (e.g., targeted) and the current status of the enforcement engine.

Managing SELinux Enforcement Modes

The state of SELinux can be transitioned between enforcing and permissive modes. Enforcing mode is the production standard, where the policy is strictly applied and unauthorized actions are blocked. Permissive mode is a critical debugging tool; in this state, SELinux does not block any actions, but it logs every instance where a policy would have been violated. This allows an administrator to identify missing policies without breaking the application.

Changing the state of SELinux requires root privileges, necessitating the use of become: true. The ansible.posix.selinux module is the primary tool for managing these states.

```yaml

set-selinux-mode.yml - Manage SELinux enforcement mode

  • name: Manage SELinux mode
    hosts: all
    become: true
    tasks:

    • name: Set SELinux to enforcing mode
      ansible.posix.selinux:
      policy: targeted
      state: enforcing
      register: selinux_result

    • name: Reboot if SELinux state changed and requires it
      ansible.builtin.reboot:
      msg: "Rebooting to apply SELinux changes"
      reboottimeout: 300
      when: selinux      result.reboot_required | default(false)
      ```

It is critical to note that while permissive mode is useful for troubleshooting, SELinux should almost never be disabled entirely. Disabling the module requires a reboot and leaves the system without its primary security layer. If a change in the policy or state requires a reboot to take effect, the ansible.builtin.reboot module should be used to ensure the system returns to a consistent state.

Orchestrating SELinux Booleans with Ansible

SELinux booleans are system-wide toggles that allow administrators to enable or disable specific security policy features without writing new policy modules. These booleans act as switches for common scenarios, such as allowing a web server to connect to a database or send mail. Because modifying booleans changes the system's security posture, these operations must be performed with root privileges via the become mechanism.

To manage these booleans, the ansible.posix.seboolean module is used. This module is part of the ansible.posix collection, which must be installed prior to execution.

The installation command for the required collection is:

```bash

Install the ansible.posix collection

ansible-galaxy collection install ansible.posix
```

The following playbook illustrates the configuration of a typical web application stack where the HTTP daemon requires network and database access.

```yaml

configure-selinux-booleans.yml - Set SELinux booleans for web app

  • name: Configure SELinux booleans
    hosts: webservers
    become: true
    tasks:

    • name: Allow HTTPD to connect to the network
      ansible.posix.seboolean:
      name: httpdcannetwork_connect
      state: true
      persistent: true

    • name: Allow HTTPD to connect to databases
      ansible.posix.seboolean:
      name: httpdcannetworkconnectdb
      state: true
      persistent: true

    • name: Allow HTTPD to send mail
      ansible.posix.seboolean:
      name: httpdcansendmail
      state: true
      persistent: true

    • name: Allow HTTPD to use NFS home directories
      ansible.posix.seboolean:
      name: httpdusenfs
      state: true
      persistent: true
      ```

A critical parameter in this configuration is persistent: true. Without this setting, the boolean change is only applied to the current session and will be lost upon reboot. Setting this to true ensures the change is written to the policy store, maintaining the desired security state across system restarts.

Restoring File Contexts and Managing Labels

A frequent issue in automated deployments is "label drift." When Ansible copies files to a remote server, the files are often created with a generic security context based on the user performing the action. If these files are placed in a directory managed by a specific SELinux policy (like /var/www/html for Apache), the generic label will prevent the service from accessing the files, resulting in 403 Forbidden errors.

The solution is to restore the default security contexts. The restorecon command reads the policy and applies the correct labels to the files. Since this modifies the file system's extended attributes, it requires root access.

```yaml

restore-contexts.yml - Fix SELinux contexts after deployment

  • name: Restore SELinux file contexts
    hosts: all
    become: true
    tasks:

    • name: Restore contexts on the web root
      ansible.builtin.command: restorecon -Rv /var/www/html
      register: restoreresult
      changed      when: restore_result.stdout != ""

    • name: Show what was fixed
      ansible.builtin.debug:
      msg: "{{ restoreresult.stdoutlines }}"
      when: restore_result.stdout != ""
      ```

The use of restorecon -Rv ensures that the operation is recursive and verbose, allowing the administrator to see exactly which files had incorrect labels and were corrected.

Advanced Hardening via RHEL System Roles

For users on RHEL-compatible systems, Red Hat provides System Roles. These are a specialized collection of Ansible roles and modules that provide a standardized interface for managing system configurations. The selinux System Role allows for a more holistic approach to security than individual module calls.

The selinux System Role provides capabilities including:

  • Setting enforcing or permissive modes
  • Restoring file contexts on specified files or directories
  • Getting and setting booleans
  • Managing file contexts
  • Managing user logins and their mappings to SELinux users
  • Managing network ports
  • Managing SELinux modules
  • Saving or cleaning local policy modifications
  • Performing full system lockdown

To utilize these roles, the appropriate packages must be installed based on the operating system version.

For RHEL 9:

```bash

dnf install rhel-system-roles

```

For Fedora:

```bash

dnf install linux-system-roles

```

Utilizing the selinux-playbooks Framework

The selinux-playbooks project, available on GitHub, provides a set of preconfigured playbooks designed for aggressive security hardening. This framework allows administrators to move beyond basic configuration and implement a "lockdown" state.

The installation process involves cloning the repository and navigating to the hardening directory:

```bash

Clone the repository

git clone https://github.com/fedora-selinux/selinux-playbooks.git

Move to the hardening directory

cd selinux-playbooks/selinux-hardening/
```

The framework utilizes a main configuration file, selinux-playbook.yml, which references several other files for granular control:

  • hosts.yaml: Defines the target systems. For example, a webserver can be defined as 192.168.122.164.
  • Boolean configuration files: Predefined lists of booleans that prevent processes from memory execution, sharing files, or connecting to unauthorized ports.
  • User mapping files: Used to confine Linux users by mapping them to specific SELinux users, reducing the blast radius of a compromised account.

The System Lockdown Process

The system-lockdown playbook is an extreme hardening measure. When executed, it applies a series of restrictive booleans and configurations that can prevent processes from accessing memory or sharing files.

The command to execute the lockdown is:

```bash

ansible-playbook system-lockdown/selinux-lockdown-playbook.yml -i inventory/hosts

```

There are severe consequences to this operation. If the lockdown playbook is run with all secure booleans enabled, the system may reach a state where users cannot revert the lockdown using the provided revert playbook. Furthermore, the ability to perform any further SELinux-related operations may be lost. The only way to recover from a total lockdown if the revert playbook fails is to reboot the system and use the enforcing=0 kernel parameter during boot to force the system into permissive mode.

Comparative Analysis of SELinux Management Methods

The following table compares the different methods of managing SELinux via Ansible, ranging from basic module usage to full system roles.

Method Scope Complexity Use Case Primary Tool
Module Based Task-specific Low Single boolean or mode change ansible.posix.selinux
Command Based Ad-hoc Low Quick fixes, label restoration ansible.builtin.command
System Roles System-wide Medium RHEL standard configuration rhel-system-roles
Hardening Framework Global/Enterprise High Maximum security lockdown selinux-playbooks

Conclusion

The successful orchestration of SELinux using Ansible requires a deep understanding of how privilege escalation via become interacts with kernel-level security contexts. While the initial experience with "Permission Denied" errors can be frustrating, the use of the ansible.posix collection and the selinux System Role transforms these challenges into a repeatable, automated process.

By utilizing getenforce and sestatus for verification, seboolean for policy adjustment, and restorecon for label maintenance, administrators can ensure that security does not come at the expense of usability. For those requiring extreme security postures, the selinux-playbooks framework provides a path toward complete system lockdown, provided the administrator is aware of the critical nature of the enforcing=0 kernel fallback. Ultimately, the integration of Ansible with SELinux allows for the deployment of a "Secure by Default" infrastructure that is both scalable and maintainable across thousands of nodes.

Sources

  1. OneUptime Blog: How to use Ansible Become with SELinux
  2. Red Hat Customer Portal: SELinux as a security pillar

Related Posts