Introducing confdroid_selinux: Declarative SELinux Management for Your Rocky 9 Servers
Security-Enhanced Linux (SELinux) is one of the most powerful built-in defenses on modern Linux systems. Unlike traditional permission-based security (user/group/other), SELinux adds mandatory access control (MAC) at the kernel level. It labels every process, file, directory, and network port with a security context and enforces strict policies that say exactly what each subject is allowed to do with each object — no matter what the file permissions say.
This means even if an attacker gains root or tricks a service into writing a malicious file, SELinux can still block the attack because the file simply doesn’t have the right context.
Many enterprise Linux distributions enable SELinux by default in enforcing mode on fresh installs:
- Rocky Linux 9
- AlmaLinux 9
- Red Hat Enterprise Linux (RHEL) 9
- Fedora
On these systems, SELinux is not an afterthought — it’s a core part of the security model.
How SELinux Stops Real-World Attacks
Imagine an attacker sends a phishing email with a malicious script disguised as a legitimate configuration file. The user (or a compromised service) downloads and places the file in /tmp or a web directory.
Without SELinux:
- If the file has execute permissions, the attacker might be able to run it.
With SELinux (enforcing mode):
- The file gets created with the wrong security context (for example,
user_tmp_tinstead ofhttpd_exec_t). - Even if the attacker somehow makes the file executable, SELinux denies execution or access because the policy doesn’t allow it.
- The attack is stopped cold, and an audit log entry is generated.
SELinux turns potential disasters into harmless denied operations.
The Problem with Manual SELinux Management
While SELinux is powerful, managing it consistently across many servers is painful:
- Forgetting to run
restoreconafter placing files - Accidentally setting the wrong mode (setenforce)
- Configuration drift between hosts
That’s exactly why I built confdroid_selinux.
What confdroid_selinux Does
This new Puppet 8 module (tested on Rocky 9) gives you full declarative control over SELinux:
- Installs all required SELinux tools and binaries
- Manages the main configuration file
/etc/sysconfig/selinuxwith correct permissions and SELinux contexts - Controls the global SELinux mode (enforcing or permissive) — the Puppet equivalent of setenforce
- Ensures every file and directory managed by other Confdroid modules receives the proper SELinux context
- Works cleanly on enforcing-mode systems
All other Confdroid modules (see the full collection overview) already include proper SELinux context handling:
- confdroid_apache,
- confdroid_gitea,
- confdroid_php,
- confdroid_fail2ban,
- confdroid_automatic,
- confdroid_nrpe,
- confdroid_nagios,
and many more.
They work even better when **confdroid_selinux** is present, because the global policy and mode are managed in one place.
SELinux Management Flow with the Module
Here’s how the module turns your Puppet run into reliable SELinux enforcement:
Easy Deployment
- Simple inclusion:
in your site.pp or nodes.pp:
include confdroid_selinux
- with Foreman (recommended):
Add the confdroid_selinux::params class to the host or host group and override parameters (mode, etc.) as smart class parameters.
Important notes:
Test in a non-production environment first.
If you are switching from disabled to enforcing mode, a reboot is required (the module does not reboot automatically to avoid surprises).
You can find the full module, source code, and parameter reference here:
→
Final Thoughts
SELinux is no longer optional on modern enterprise Linux. With confdroid_selinux, you get consistent, version-controlled, and fully automated SELinux management that works hand-in-hand with the rest of the Confdroid collection.
Your servers stay secure by default — even when things go wrong elsewhere.
Have you been running SELinux in enforcing mode across your fleet, or are you still in permissive because of management headaches? Would you like to see more advanced features (custom Booleans, custom modules, etc.) in a future version? Let me know in the comments!
Did you find this post helpful? You can support me.
Related posts
- Confdroid Puppet Modules – Pilot
- Confdroid Puppet Modules – Puppet
- ConfDroid Puppet Modules – confdroid_resources
- ConfDroid Puppet Modules – Postgresql
- ConfDroid Puppet Modules – Gitea
- ConfDroid Puppet Modules – Apache
- ConfDroid Puppet Modules – Nagios
- ConfDroid Puppet Modules – NRPE
- ConfDroid Puppet Modules – Fail2ban
- ConfDroid Puppet Modules – Automatic
Author Profile
