sefcontext – Manages SELinux file context mapping definitions

Synopsis

  • Manages SELinux file context mapping definitions.

  • Similar to the semanage fcontext command.

Requirements

The below requirements are needed on the host that executes this module.

  • libselinux-python

  • policycoreutils-python

Parameters

Parameter Choices/Defaults Comments
ftype
string
    Choices:
  • a ←
  • b
  • c
  • d
  • f
  • l
  • p
  • s
The file type that should have SELinux contexts applied.
The following file type options are available:
a for all files,
b for block devices,
c for character devices,
d for directories,
f for regular files,
l for symbolic links,
p for named pipes,
s for socket files.
ignore_selinux_state
boolean
added in 2.8
    Choices:
  • no ←
  • yes
Useful for scenarios (chrooted environment) that you can't get the real SELinux state.
reload
boolean
    Choices:
  • no
  • yes ←
Reload SELinux policy after commit.
Note that this does not apply SELinux file contexts to existing files.
selevel
string
SELinux range for the specified target.

aliases: serange
setype
string / required
SELinux type for the specified target.
seuser
string
SELinux user for the specified target.
state
string
    Choices:
  • absent
  • present ←
Whether the SELinux file context must be absent or present.
target
string / required
Target path (expression).

aliases: path

Notes

Note

  • The changes are persistent across reboots.

  • The sefcontext module does not modify existing files to the new SELinux context(s), so it is advisable to first create the SELinux file contexts before creating files, or run restorecon manually for the existing files that require the new SELinux file contexts.

  • Not applying SELinux fcontexts to existing files is a deliberate decision as it would be unclear what reported changes would entail to, and there’s no guarantee that applying SELinux fcontext does not pick up other unrelated prior changes.

Examples

- name: Allow apache to modify files in /srv/git_repos
  sefcontext:
    target: '/srv/git_repos(/.*)?'
    setype: httpd_git_rw_content_t
    state: present

- name: Apply new SELinux file context to filesystem
  command: restorecon -irv /srv/git_repos

Status

Authors

  • Dag Wieers (@dagwieers)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.