Parameterize setting the selinux mode

By parameterizing the selinux mode we can set the mode and pass the mode to other classes so they can make decisions on whether or not to run selinux commands as part of their configuration. Depends-On: I21add092d9d09077f2b23760a384f5a5cb91d86a Change-Id: I86a5bb006b6ab9d64f7fbd894c967428cfaed8f8
2015-09-10 13:32:29 -05:00 · 2015-09-10 13:32:29 -05:00 · e130792ed9
commit e130792ed9
parent 04c2028603
4 changed files with 15 additions and 9 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -485,6 +485,7 @@ node /^git\d+\.openstack\.org$/ {
    ssl_key_file_contents   => hiera('git_ssl_key_file_contents', 'XXX'),
    ssl_chain_file_contents => hiera('git_ssl_chain_file_contents', 'XXX'),
    behind_proxy            => true,
+    selinux_mode            => 'enforcing'
  }
 }

@ -754,6 +755,7 @@ node 'pbx.openstack.org' {
        outgoing => false,
      },
    ],
+    selinux_mode  => 'enforcing'
  }
 }

--- a/modules/openstack_project/manifests/git.pp
+++ b/modules/openstack_project/manifests/git.pp
@ -18,7 +18,8 @@
 class openstack_project::git (
  $sysadmins = [],
  $balancer_member_names = [],
-  $balancer_member_ips = []
+  $balancer_member_ips = [],
+  $selinux_mode = 'enforcing'
 ) {
  class { 'openstack_project::server':
    iptables_public_tcp_ports => [80, 443, 9418],
@ -27,7 +28,7 @@ class openstack_project::git (

  if ($::osfamily == 'RedHat') {
    class { 'selinux':
-      mode => 'enforcing'
+      mode => $selinux_mode
    }
  }

--- a/modules/openstack_project/manifests/git_backend.pp
+++ b/modules/openstack_project/manifests/git_backend.pp
@ -23,6 +23,7 @@ class openstack_project::git_backend (
  $ssl_chain_file_contents = '',
  $behind_proxy = false,
  $project_config_repo = '',
+  $selinux_mode = 'enforcing',
 ) {

  package { 'lsof':
@ -36,6 +37,12 @@ class openstack_project::git_backend (
  include jeepyb
  include pip

+  if ($::osfamily == 'RedHat') {
+    class { 'selinux':
+      mode => $selinux_mode
+    }
+  }
+
  class { '::cgit':
    vhost_name              => $vhost_name,
    ssl_cert_file           => "/etc/pki/tls/certs/${vhost_name}.pem",
@ -54,6 +61,7 @@ class openstack_project::git_backend (
        'root-title'    => 'OpenStack git repository browser',
    },
    manage_cgitrc           => true,
+    selinux_mode            => $selinux_mode
  }

  # We don't actually use these variables in this manifest, but jeepyb
@ -108,12 +116,6 @@ class openstack_project::git_backend (
    refreshonly => true,
  }

-  if ($::osfamily == 'RedHat') {
-    class { 'selinux':
-      mode => 'enforcing'
-    }
-  }
-
  cron { 'mirror_repack':
    user        => 'cgit',
    hour        => '4',
--- a/modules/openstack_project/manifests/pbx.pp
+++ b/modules/openstack_project/manifests/pbx.pp
@ -18,6 +18,7 @@
 class openstack_project::pbx (
  $sysadmins = [],
  $sip_providers = [],
+  $selinux_mode = 'enforcing'
 ) {
  class { 'openstack_project::server':
    sysadmins                 => $sysadmins,
@ -31,7 +32,7 @@ class openstack_project::pbx (

  if ($::osfamily == 'RedHat') {
    class { 'selinux':
-      mode => 'enforcing'
+      mode => $selinux_mode
    }
  }