From 39e8f78adf8f3dd34012b58d58affbd0e2c1e639 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Tue, 13 Jan 2026 01:07:29 -0500
Subject: [PATCH] Add SELinux support to the base role

---
 dev/host_vars/podman.yml    |  2 ++
 roles/base/tasks/system.yml | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/dev/host_vars/podman.yml b/dev/host_vars/podman.yml
index d621f35..30e2933 100644
--- a/dev/host_vars/podman.yml
+++ b/dev/host_vars/podman.yml
@@ -1,6 +1,8 @@
 ##############
 #### base ####
 ##############
+selinux:
+  state: enforcing
 
 base_allow_reboot: false
 base_manage_network: false
diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml
index 424c6bd..b645c34 100644
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -4,6 +4,18 @@
     state: present
     update_cache: true
 
+- name: Get the default policy and basic SELinux utilities
+  ansible.builtin.apt:
+    name: ["selinux-basics", "selinux-policy-default", "auditd"]
+    state: present
+  when: selinux is defined and selinux is not false
+
+- name: Configure SELinux
+  ansible.posix.selinux:
+    state: "{{ selinux.state | default('permissive') }}"
+    policy: "{{ selinux.policy | default('default') }}"
+  when: selinux is defined and selinux is not false
+
 - name: Install GPG
   ansible.builtin.apt:
     name: gpg