Merge pull request #236 from jaredledvina/feature/allow-configuring-s…

…elinux-status Support configuring SELinux and default to enforcing
dev-sec · Oct 17, 2019 · 804538e · 804538e
2 parents 754138d + 9298965
commit 804538e
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -250,3 +250,8 @@ os_hardening_enabled: true
 
 # Set to false to disable installing and configuring auditd.
 os_auditd_enabled: true
+
+# Set the SELinux state, can be either disabled, permissive, or enforcing.
+os_selinux_state: enforcing
+# Set the SELinux polixy.
+os_selinux_policy: targeted
diff --git a/tasks/hardening.yml b/tasks/hardening.yml
@@ -58,3 +58,8 @@
 - import_tasks: apt.yml
   when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu'
   tags: apt
+
+- import_tasks: selinux.yml
+  tags: selinux
+  when:
+    - ansible_facts.selinux.status == 'enabled'
diff --git a/tasks/selinux.yml b/tasks/selinux.yml
@@ -0,0 +1,5 @@
+---
+- name: configure selinux | selinux-01
+  selinux:
+    policy: "{{ os_selinux_policy }}"
+    state: "{{ os_selinux_state }}"