Inspect SELinux map scope
When To Use This
Use this when SELinux user maps and HBAC-linked scope should be reviewed before access or automation changes.
Required Authority
IdM owns SELinux map records. The lookup reads direct members and linked HBAC scope.
Safety Boundary
This workflow is read-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.
Inputs
- Named target objects
- Credentials with the required IdM or platform authority
- A reviewed output path or downstream task
Steps
- Confirm the target objects and authority before running.
- Run the command or task with review-friendly output.
- Inspect the returned evidence before continuing to any mutating step.
lookup('eigenstate.ipa.selinuxmap', 'staff_u_map', result_format='record')
Example SELinux Map Check
This playbook confirms that a named SELinux user map exists, is enabled, and is scoped through the expected HBAC rule.
inspect-selinux-map.yml
---
- name: Inspect SELinux user map scope
hosts: localhost
gather_facts: false
tasks:
- name: Read SELinux map state
ansible.builtin.set_fact:
map_state: >-
{{ lookup('eigenstate.ipa.selinuxmap',
'ops-deploy-map',
server='idm-01.example.com',
kerberos_keytab='/runner/env/ipa/automation.keytab') }}
- name: Require enabled HBAC-scoped confinement
ansible.builtin.assert:
that:
- map_state.exists
- map_state.enabled
- map_state.hbacrule == 'ops-deploy'
fail_msg: "ops-deploy-map is missing, disabled, or not scoped by ops-deploy."
Run It
ansible-playbook inspect-selinux-map.yml
Expected Evidence
The lookup returns map state and HBAC link fields in a deterministic structure.
{
"changed": false,
"exists": true,
"enabled": true,
"name": "ops-deploy-map",
"hbacrule": "ops-deploy",
"users": [
"staff_u"
]
}
Troubleshooting
- Permission failure: verify the account and delegated authority.
- Unexpected empty result: verify target names and source records.
- Unsafe output: redact payloads and add
no_log: truewhere secret material is present.