# SELinux Configuration

SELinux can be configured in Hiera.

For troubleshooting SELinux related problems please have a look at [SELinux Troublehooting Guide](../../troubleshooting/selinux)`

## Basic Settings

Enable or disable SELinux with `base::selinux`. Options:
* `enforcing`
* `permissive`
* `disabled`

Example:

```yaml
base::selinux_mode: 'disabled'
```

The default depends on the Puppet role, e.g. for servers it is `enforcing` while for workstations and consoles it is `disabled`.

The `permissive` option is useful for setting up a new server to see where SELinux would block if enabled.

## Logging Violations

To record such violations `auditd` needs to run:

```yaml
base::enable_auditd: true
```
On RHEL9 and later this is enabled by default if SELinux is `permissive` or `enforcing`.

Then `setroubleshootd` is very helpful to learn how to configure SELinux if an action is wrongly considered a violation:
```yaml
selinux::setroubleshootd: true
```
On RHEL9 and later this is enabled by default if SELinux is `permissive` or `enforcing`.


## Finetuning

### SELinux Booleans

Use NFS home directory:
```yaml
selinux::use_nfs_home_dirs: true
```

Set SELinux booleans:
```yaml
selinux::booleans: [ 'httpd_can_network_connect', 'domain_can_mmap_files']
```

### File Context (`fcontext`)

Set fcontext for specific directories/directory
```yaml
selinux::fcontext:
  logbook-data:
    pathspec: '/var/www/html/logbook-data(/.*)?'
    seltype: 'httpd_sys_rw_content_t'
  logbook-data-local:
    pathspec: '/var/www/html/logbook-data-local(/.*)?'
    seltype: 'httpd_sys_rw_content_t'
```
a unique arbitrary key name for each entry is needed.


If you wish to have the same fcontext configuation as another path do

```yaml
selinux::fcontext::equivalence:
  apache_ssl_conf:
    path: '/srv/online/config/ssl.conf'
    target: '/etc/httpd/conf/httpd.conf'
  apache_index_html:
    path: '/srv/online/config/index.html'
    target: '/var/www/html/index.html'
  apache_online_web:
    path: '/srv/online/web'
    target: '/var/www/html'
  apache_offlinecheck:
    path: '/srv/offlinecheck'
    target: '/var/www/html'
```

a unique arbitrary key name for each entry is needed here as well.


### Custom Module
Custom SELinux modules can also be added.

Such a module can be created from recorded violations with
```
ausearch --raw | audit2allow -r -m $CUSTOM_SELINUX_MODULE_NAME
```
Note that the `setroubleshootd` log output ususally gives you a narrower search filter for `ausearch` for each recorded violation.

Each such module needs to be added with a unique key at the Hiera key `selinux::modules::te`. A full example is

```yaml
selinux::modules::te:
  # SELinux is preventing /usr/local/bin/musrview from setattr access on the directory /usr/lib/fontconfig/cache
  'musrview-font-cache': |
    module musrview-font-cache 1.0;
    require {
        type lib_t;
        type httpd_sys_script_t;
        class dir setattr;
    }
    allow httpd_sys_script_t lib_t:dir setattr;
```

Do not forget to increase the version number if you update such a module.