If you are not familiar with modules, check out Ansible - Getting Started with Modules.
By default, SELinux is configured to allow certain booleans access to certain ports. For example, the semanage command can be used to see that the http_port_t boolean for web servers allows the following ports.
~]# ansible all --module-name shell --args "semanage port -l | grep ^http_port_t"
server1.example.com | CHANGED | rc=0 >>
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
Similarly, SELinux is configured to allow web servers to use the following ports for cache.
~]# ansible all --module-name shell --args "semanage port -l | grep ^http_cache_port_t"
server1.example.com | CHANGED | rc=0 >>
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
The libselinux-python and policycoreutils-python packages will need to be installed on the managed node before the seport module can be used, which can be done using the dnf or yum module on a Red Hat system (CentOS, Fedora, Red Hat).
---
- hosts: web
remote_user: root
tasks:
- name: install or update libselinux-python and policycoreutils-python
dnf:
name: ['libselinux-python', 'policycoreutils-python']
state: latest
...
In this example, the seport module is used to configure SELinux to allow the http_port_t boolean to use ports 18080 through 18089.
---
- hosts: web
remote_user: root
tasks:
- name: configure SELinux to allow web servers to use ports 18080 through 18089
seport:
ports: ['18080', '18081', '18082', '18083', '18084', '18085', '18086', '18087', '18088', '18089']
proto: tcp
setype: http_port_t
state: present
...
Or state: absent can be used to remove ports.
---
- hosts: web
remote_user: root
tasks:
- name: remove ports 18080 through 18089 from SELinux boolean http_port_t
seport:
ports: ['18080', '18081', '18082', '18083', '18084', '18085', '18086', '18087', '18088', '18089']
proto: tcp
setype: http_port_t
state: absent
...
Did you find this article helpful?
If so, consider buying me a coffee over at