The selinux_state
resource is used to manage the SELinux state on the system. It does this by using the setenforce
command and rendering the /etc/selinux/config
file from a template.
Introduced: v4.0.0
Action | Description |
---|---|
:enforcing |
(Default) Set the SELinux state to enforcing |
:permissive |
Set the state to permissive |
:disabled |
Set the state to disabled |
` |
⚠ Switching to or from
disabled
requires a reboot!
Name | Type | Default | Description |
---|---|---|---|
config_file |
String | /etc/selinux/config |
Path to SELinux config file on disk |
persistent |
true, false | true |
Persist status update to the selinux configuration file |
policy |
String | targeted |
SELinux policy type |
automatic_reboot |
true, false, Symbol | false |
Whether to automatically reboot the node if needed to change state |
selinux_state 'enforcing' do
action :enforcing
end
selinux_state 'permissive' do
action :permissive
end
selinux_state 'disabled' do
action :disabled
end
Simply set SELinux to enforcing or permissive:
selinux_state "SELinux Enforcing" do
action :enforcing
end
selinux_state "SELinux Permissive" do
action :permissive
end
The action here is based on the value of the node['selinux']['state']
attribute, which we convert to lower-case and make a symbol to pass to the action.
selinux_state "SELinux #{node['selinux']['state'].capitalize}" do
action node['selinux']['state'].downcase.to_sym
end
The action here is based on the value of the node['selinux']['status']
attribute, which we convert to lower-case and make a symbol to pass to the action.
selinux_state "SELinux #{node['selinux']['status'].capitalize}" do
action node['selinux']['status'].downcase.to_sym
end