A role to add custom selinux policies from .te files.
Centos 7 or 8.
Ansibles selinux module is dependent on libselinux-python and is
installed for Centos 7 and 8.
- custom_selinux_dir: /etc/selinux_custom -- directory to store policy files
- policy_files: [] -- list of policy files to apply, without .te extension
- enforce_selinux: true -- enforce selinux
Add .te files to files/ directory. (This policy allows httpd to
listen to the telnet port. It is probably not a good idea)
cat >files/test.te<<EOF
module test 1.0;
require {
type httpd_t;
type telnetd_port_t;
class tcp_socket name_bind;
}
#============= httpd_t ==============
allow httpd_t telnetd_port_t:tcp_socket name_bind;
EOF- hosts: all
become: yes
vars:
policy_files:
- test
roles:
- ansible-selinux
List denied actions:
grep avc /var/log/audit/audit.log
echo "<denied action>" | audit2allow -M -o <name of action>GPL2