From e130792ed93410d667a3c232a39b826880813728 Mon Sep 17 00:00:00 2001 From: Timothy Chavez Date: Thu, 10 Sep 2015 13:32:29 -0500 Subject: [PATCH] Parameterize setting the selinux mode By parameterizing the selinux mode we can set the mode and pass the mode to other classes so they can make decisions on whether or not to run selinux commands as part of their configuration. Depends-On: I21add092d9d09077f2b23760a384f5a5cb91d86a Change-Id: I86a5bb006b6ab9d64f7fbd894c967428cfaed8f8 --- manifests/site.pp | 2 ++ modules/openstack_project/manifests/git.pp | 5 +++-- modules/openstack_project/manifests/git_backend.pp | 14 ++++++++------ modules/openstack_project/manifests/pbx.pp | 3 ++- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index f746f14d8e..ee3d9f734b 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -485,6 +485,7 @@ node /^git\d+\.openstack\.org$/ { ssl_key_file_contents => hiera('git_ssl_key_file_contents', 'XXX'), ssl_chain_file_contents => hiera('git_ssl_chain_file_contents', 'XXX'), behind_proxy => true, + selinux_mode => 'enforcing' } } @@ -754,6 +755,7 @@ node 'pbx.openstack.org' { outgoing => false, }, ], + selinux_mode => 'enforcing' } } diff --git a/modules/openstack_project/manifests/git.pp b/modules/openstack_project/manifests/git.pp index 79bdcd08bc..d4911a4099 100644 --- a/modules/openstack_project/manifests/git.pp +++ b/modules/openstack_project/manifests/git.pp @@ -18,7 +18,8 @@ class openstack_project::git ( $sysadmins = [], $balancer_member_names = [], - $balancer_member_ips = [] + $balancer_member_ips = [], + $selinux_mode = 'enforcing' ) { class { 'openstack_project::server': iptables_public_tcp_ports => [80, 443, 9418], @@ -27,7 +28,7 @@ class openstack_project::git ( if ($::osfamily == 'RedHat') { class { 'selinux': - mode => 'enforcing' + mode => $selinux_mode } } diff --git a/modules/openstack_project/manifests/git_backend.pp b/modules/openstack_project/manifests/git_backend.pp index caebe11d98..0f1694b3ca 100644 --- a/modules/openstack_project/manifests/git_backend.pp +++ b/modules/openstack_project/manifests/git_backend.pp @@ -23,6 +23,7 @@ class openstack_project::git_backend ( $ssl_chain_file_contents = '', $behind_proxy = false, $project_config_repo = '', + $selinux_mode = 'enforcing', ) { package { 'lsof': @@ -36,6 +37,12 @@ class openstack_project::git_backend ( include jeepyb include pip + if ($::osfamily == 'RedHat') { + class { 'selinux': + mode => $selinux_mode + } + } + class { '::cgit': vhost_name => $vhost_name, ssl_cert_file => "/etc/pki/tls/certs/${vhost_name}.pem", @@ -54,6 +61,7 @@ class openstack_project::git_backend ( 'root-title' => 'OpenStack git repository browser', }, manage_cgitrc => true, + selinux_mode => $selinux_mode } # We don't actually use these variables in this manifest, but jeepyb @@ -108,12 +116,6 @@ class openstack_project::git_backend ( refreshonly => true, } - if ($::osfamily == 'RedHat') { - class { 'selinux': - mode => 'enforcing' - } - } - cron { 'mirror_repack': user => 'cgit', hour => '4', diff --git a/modules/openstack_project/manifests/pbx.pp b/modules/openstack_project/manifests/pbx.pp index 4de500d10d..5832d447a8 100644 --- a/modules/openstack_project/manifests/pbx.pp +++ b/modules/openstack_project/manifests/pbx.pp @@ -18,6 +18,7 @@ class openstack_project::pbx ( $sysadmins = [], $sip_providers = [], + $selinux_mode = 'enforcing' ) { class { 'openstack_project::server': sysadmins => $sysadmins, @@ -31,7 +32,7 @@ class openstack_project::pbx ( if ($::osfamily == 'RedHat') { class { 'selinux': - mode => 'enforcing' + mode => $selinux_mode } }