RHCE 9.0 Practice Exam: Managing SELinux with RHEL System Roles
π Article Overview
This tutorial is designed for RHCE 9.0 certification candidates and explains in detail how to manage SELinux configurations using the Ansible rhel-system-roles.selinux role to ensure it is set to enforcing.
What You Will Learn:
- How to install and enable the
rhel-system-roles.selinuxrole - How to use an Ansible Playbook to manage SELinux
- How to use the
rescuemechanism to ensure SELinux enforcement - A complete Ansible Playbook with detailed explanations
- How to verify that SELinux is properly configured
- Common issues, troubleshooting, and RHCE 9.0 exam tips
π 1. Task Requirements
π 1.1. Problem Statement
- Install
rhel-system-roleson the control node (control) - Configure
ansible.cfgto setroles_path - Create an Ansible Playbook at
/home/greg/ansible/selinux.yml - Configure SELinux on all managed nodes (
node1~node5) - If the SELinux role fails, automatically reboot and reapply the role
- Execute the Ansible Playbook
- Verify that SELinux is set to
enforcingon all managed nodes
π 2. Install RHEL System Roles
On the control node, run the following command:
sudo yum -y install rhel-system-roles
β Verify Installation
ansible-galaxy list | grep selinux
If the installation is successful, you should see rhel-system-roles.selinux.
π 3. Configure Ansible Role Path
vim /home/greg/ansible/ansible.cfg
π Add the following lines
[defaults]
roles_path = /home/greg/ansible/roles:/usr/share/ansible/roles
inventory = /home/greg/ansible/inventory
remote_user = ansible
host_key_checking = False
become=True
π Key Points
roles_path: Specifies where Ansible should search for rolesinventory: Specifies the default inventory fileremote_user: Defines the remote user for Ansible executionhost_key_checking = False: Disables SSH key checking for ease of managementbecome=True: Ensures Ansible usessudoprivileges
π 4. Create the SELinux Playbook
vim /home/greg/ansible/selinux.yml
π selinux.yml (with detailed comments)
---
- name: Configure SELinux using RHEL system role
hosts: all
become: yes # Execute with root privileges
vars:
selinux_policy: targeted # Set SELinux policy
selinux_state: enforcing # Ensure SELinux is in enforcing mode
tasks:
- name: Apply SELinux role
block:
- include_role:
name: rhel-system-roles.selinux # Use the official SELinux role from RHEL
rescue:
# If the `block` fails, execute the `rescue` tasks
- name: Handle errors and log failure
shell: echo "SELinux role execution failed on $(hostname)" >> /var/log/ansible_selinux.log
ignore_errors: true # Allow log writing failures without stopping the playbook
- name: Check if reboot is required
fail:
msg: "SELinux role failed for an unknown reason"
when: not selinux_reboot_required # Fail only if the error is not due to `selinux_reboot_required`
- name: Restart managed host if SELinux changes require it
shell: sleep 2 && shutdown -r now "Ansible SELinux update triggered"
async: 1 # Execute shutdown command asynchronously
poll: 0 # Do not wait for shutdown to complete
ignore_errors: true # Avoid stopping the playbook in case of shutdown failures
- name: Wait for the managed host to come back online
wait_for_connection:
delay: 15 # Initial wait of 15 seconds
timeout: 360 # Maximum wait time of 6 minutes
- name: Verify SELinux status after reboot
shell: getenforce
register: selinux_status
changed_when: false
- name: Log SELinux status after reboot
shell: echo "After reboot SELinux status: {{ selinux_status.stdout }}" >> /var/log/ansible_selinux.log
ignore_errors: true # Allow log writing failures
- name: Reapply the SELinux role after reboot
include_role:
name: rhel-system-roles.selinux # Reapply the SELinux role
π Key Features
- Main Execution (
block)- Applies the
rhel-system-roles.selinuxrole to configure SELinux
- Applies the
- Failure Recovery (
rescue)- Logs failure messages to
/var/log/ansible_selinux.log - Checks error type
- Triggers reboot if necessary
- Waits for the node to come back online (
wait_for_connection) - Revalidates SELinux status
- Reapplies the SELinux role if necessary
- Logs failure messages to
Save and exit (ESC -> :wq)
π 5. Run the Playbook
ansible-playbook /home/greg/ansible/selinux.yml
β Expected Output
TASK [Apply SELinux system role] ***********************************************
changed: [node1]
changed: [node2]
changed: [node3]
changed: [node4]
changed: [node5]
π 6. Verify SELinux Configuration
ansible all -m shell -a 'grep ^SELINUX= /etc/selinux/config; getenforce'
β Expected Output
node1 | SUCCESS | rc=0 >>
SELINUX=enforcing
Enforcing
node2 | SUCCESS | rc=0 >>
SELINUX=enforcing
Enforcing
node3 | SUCCESS | rc=0 >>
SELINUX=enforcing
Enforcing
...
π 7. Scoring Criteria
| Step | Description | Score |
|---|---|---|
| 1. Install RHEL System Roles | Ensure rhel-system-roles is available |
5 points |
2. Configure ansible.cfg |
Set roles_path, inventory |
5 points |
3. Create the SELinux Playbook |
Configure SELinux to enforcing |
10 points |
4. Run the Ansible Playbook |
Execute Ansible configuration | 10 points |
5. Implement rescue Mechanism |
Handle failures, reboot if required | 10 points |
| 6. Log SELinux Changes | Ensure all nodes track status | 5 points |
β Total Score: 50 points
π 8. Common Questions & Troubleshooting
β Q1: Why is wait_for_connection set to timeout: 360?
β
This allows Ansible to wait up to 6 minutes to ensure the managed node completes its reboot before resuming execution.
β Q2: How does the rescue mechanism ensure system stability?
β
It automatically reboots + logs status + reapplies the SELinux role to maintain system consistency.
π Congratulations! You have successfully mastered SELinux management using RHEL system roles for RHCE 9.0 certification! π
π’ If you found this guide helpful for your RHCE 9.0 exam preparation, feel free to like and share! π’
