Add SELinux support to the base role

2026-01-13 01:07:29 -05:00
parent ac33f8bf7d
commit 39e8f78adf
2 changed files with 14 additions and 0 deletions
--- a/dev/host_vars/podman.yml
+++ b/dev/host_vars/podman.yml
@@ -1,6 +1,8 @@
 ##############
 #### base ####
 ##############
+selinux:
+  state: enforcing

 base_allow_reboot: false
 base_manage_network: false
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -4,6 +4,18 @@
    state: present
    update_cache: true

+- name: Get the default policy and basic SELinux utilities
+  ansible.builtin.apt:
+    name: ["selinux-basics", "selinux-policy-default", "auditd"]
+    state: present
+  when: selinux is defined and selinux is not false
+
+- name: Configure SELinux
+  ansible.posix.selinux:
+    state: "{{ selinux.state | default('permissive') }}"
+    policy: "{{ selinux.policy | default('default') }}"
+  when: selinux is defined and selinux is not false
+
 - name: Install GPG
  ansible.builtin.apt:
    name: gpg