Releasing soon Vigo is in alpha and closing in on its first stable release. Expect breaking changes between releases until then — we're looking for testing partners with meaningful fleets across diverse architectures. Learn more →

SELinux

Reports SELinux enforcement status, mode, and active policy.

Trait Path

selinux

Fields

Path Type Example Description
selinux.enabled boolean true Whether SELinux is enabled
selinux.mode string "enforcing" Current mode: enforcing, permissive, or disabled
selinux.policy string "targeted" Active SELinux policy name

Collection Method

First checks if /etc/selinux/config exists. If not, returns enabled: false with empty strings. Otherwise:

  • Runs getenforce to get the current mode (enforcing/permissive/disabled)
  • Runs sestatus and parses "Loaded policy name:" or "Policy from config file:" to extract the policy name

SELinux is considered enabled if the mode is neither empty nor "disabled".

Using in When Expressions

- name: set-selinux-contexts
  type: exec
  command: restorecon -Rv /var/www
  when: "!os_family('debian')"

Using in Templates

- name: selinux-report
  type: file
  target_path: /var/lib/vigo/selinux.txt
  content: |
    SELinux: {{ .Traits.selinux.mode }}
    Policy: {{ .Traits.selinux.policy }}

Platform

Linux