add selinux module

deployment/puppet/selinux/README.markdown

@@ -0,0 +1,23 @@
+# SELinux Puppet Module
+
+James Fryman <james@frymanet.com>
+
+# Description
+
+This class manages SELinux on RHEL based systems.
+
+Parameters:
+
+- $mode (enforced|permissive|disabled) - sets the operating state for SELinux.
+
+# Actions:
+  This module will configure SELinux and/or deploy SELinux based modules to running
+  system.
+
+# Requires:
+  - Class[stdlib]. This is Puppet Labs standard library to include additional methods for use within Puppet. [https://github.com/puppetlabs/puppetlabs-stdlib]
+
+# Sample Usage:
+<pre>  
+include selinux
+</pre>

deployment/puppet/selinux/manifests/boolean.pp

@@ -0,0 +1,49 @@
+# Definition: selinux::boolean
+#
+# Description
+#  This class will set the state of an SELinux boolean.
+#  All pending values are written to the policy file on disk, so they will be persistant across reboots.
+#  Ensure that the manifest notifies a related service as a restart for that service may be required.
+#
+# Class created by GreenOgre<aggibson@cogeco.ca>
+#  Adds to puppet-selinux by jfryman
+#   https://github.com/jfryman/puppet-selinux
+#
+# Parameters:
+#   - $ensure: (on|off) - Sets the current state of a particular SELinux boolean
+#
+# Actions:
+#  Runs "setsebool" to set boolean state
+#
+# Requires:
+#  - SELinux
+#
+# Sample Usage:
+#
+#  selinux::boolean{ 'named_write_master_zones':
+#     ensure => "on",
+#  }
+#
+
+define selinux::boolean (
+  $ensure = 'undef'
+) {
+
+  Exec {
+    path => '/bin:/sbin:/usr/bin:/usr/sbin',
+  }
+
+  case $ensure {
+    on, true: {
+      exec { "setsebool -P '${name}' true":
+        unless => "getsebool '${name}' | awk '{ print \$3 }' | grep on",
+      }
+    }
+    off, false: {
+      exec { "setsebool -P '${name}' false":
+        unless => "getsebool '${name}' | awk '{ print \$3 }' | grep off",
+      }
+    }
+    default: { err ( "Unknown or undefined boolean state ${ensure}" ) }
+  }
+}

deployment/puppet/selinux/manifests/config.pp

@@ -0,0 +1,55 @@
+# Class: selinux::config
+#
+# Description
+#  This class is designed to configure the system to use SELinux on the system
+#
+# Parameters:
+#  - $mode (enforced|permissive|disabled) - sets the operating state for SELinux.
+# 
+# Actions:
+#  Configures SELinux to a specific state (enforced|permissive|disabled)
+#
+# Requires:
+#  This module has no requirements
+#
+# Sample Usage:
+#  This module should not be called directly.
+#
+class selinux::config(
+  $mode
+) {
+  Exec {
+    path => '/bin:/sbin:/usr/bin:/usr/sbin',
+  }
+
+  file { $selinux::params::sx_mod_dir:
+    ensure => directory,
+  }
+
+  # Check to see if the mode set is valid.
+  if $mode == 'enforcing' or $mode == 'permissive' or $mode == 'disabled' {
+    exec { "set-selinux-config-to-${mode}":
+      command => "sed -i \"s@^\\(SELINUX=\\).*@\\1${mode}@\" /etc/sysconfig/selinux",
+      unless  => "grep -q \"SELINUX=${mode}\" /etc/sysconfig/selinux",
+    }
+
+    case $mode {
+      permissive,disabled: { 
+        $sestatus = '0'
+        if $mode == 'disabled' and $::selinux_current_mode == 'permissive' {
+          notice('A reboot is required to fully disable SELinux. SELinux will operate in Permissive mode until a reboot')
+        }
+      }
+      enforcing: {
+        $sestatus = '1'
+      }
+    }
+
+    exec { "change-selinux-status-to-${mode}":
+      command => "echo ${sestatus} > /selinux/enforce",
+      unless  => "grep -q '${sestatus}' /selinux/enforce",
+    }
+  } else {
+    fail("Invalid mode specified for SELinux: ${mode}")
+  }
+}

deployment/puppet/selinux/manifests/init.pp

@@ -0,0 +1,30 @@
+# Class: selinux
+#
+# Description
+#  This class manages SELinux on RHEL based systems.
+#
+# Parameters:
+#  - $mode (enforced|permissive|disabled) - sets the operating state for SELinux.
+#
+# Actions:
+#  This module will configure SELinux and/or deploy SELinux based modules to running
+#  system. 
+#
+# Requires:
+#  - Class[stdlib]. This is Puppet Labs standard library to include additional methods for use within Puppet. [https://github.com/puppetlabs/puppetlabs-stdlib]
+#
+# Sample Usage:
+#  include selinux
+#
+class selinux(
+  $mode = 'permissive'
+) {
+  include stdlib
+  include selinux::params
+
+  anchor { 'selinux::begin': }
+  -> class { 'selinux::config':
+       mode => $mode,
+  }
+  -> anchor { 'selinux::end': }
+}

deployment/puppet/selinux/manifests/module.pp

@@ -0,0 +1,93 @@
+# Definition: selinux::module
+#
+# Description
+#  This class will either install or uninstall a SELinux module from a running system. 
+#  This module allows an admin to keep .te files in text form in a repository, while 
+#  allowing the system to compile and manage SELinux modules.   
+#
+#  Concepts incorporated from: 
+#  http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/
+#
+# Parameters:
+#   - $ensure: (present|absent) - sets the state for a module
+#   - $selinux::params::sx_mod_dir: The directory compiled modules will live on a system (default: /usr/share/selinux)
+#   - $mode: Allows an admin to set the SELinux status. (default: enforcing)
+#   - $source: the source file (either a puppet URI or local file) of the SELinux .te module
+#
+# Actions:
+#  Compiles a module using 'checkmodule' and 'semodule_package'.
+#
+# Requires:
+#  - SELinux
+#
+# Sample Usage:
+#  selinux::module{ 'apache':
+#    ensure => 'present',
+#    source => 'puppet:///modules/selinux/apache.te', 
+#  }
+#
+define selinux::module(
+  $ensure  = 'present',
+  $source
+) {
+  # Set Resource Defaults
+  File {
+    owner => 'root',
+    group => 'root',
+    mode  => '0644',
+  }
+
+  # Only allow refresh in the event that the initial .te file is updated.
+  Exec {
+    path         => '/sbin:/usr/sbin:/bin:/usr/bin',
+    refreshonly  => 'true',
+    cwd          => "${selinux::params::sx_mod_dir}",
+  }
+
+  ## Begin Configuration
+  file { "${selinux::params::sx_mod_dir}/${name}.te":
+    ensure => $ensure,
+    source => $source,
+    tag    => 'selinux-module',
+  }
+  file { "${selinux::params::sx_mod_dir}/${name}.mod":
+    tag => ['selinux-module-build', 'selinux-module'],
+  }
+  file { "${selinux::params::sx_mod_dir}/${name}.pp":
+    tag => ['selinux-module-build', 'selinux-module'],
+  }
+
+  # Specific executables based on present or absent.
+  case $ensure {
+    present: {
+      exec { "${name}-buildmod":
+        command => "checkmodule -M -m -o ${name}.mod ${name}.te",
+      }
+      exec { "${name}-buildpp":
+        command => "semodule_package -m ${name}.mod -o ${name}.pp",
+      }
+      exec { "${name}-install":
+        command => "semodule -i ${name}.pp",
+      }
+
+      # Set dependency ordering
+      File["${selinux::params::sx_mod_dir}/${name}.te"]
+      ~> Exec["${name}-buildmod"]
+      ~> Exec["${name}-buildpp"]
+      ~> Exec["${name}-install"]
+      -> File<| tag == 'selinux-module-build' |>
+    }
+    absent: {
+      exec { "${name}-remove":
+        command => "semodule -r ${name}.pp > /dev/null 2>&1",
+      }
+
+      # Set dependency ordering
+      Exec["${name}-remove"]
+      -> File<| tag == 'selinux-module' |>
+    }
+    default: {
+      fail("Invalid status for SELinux Module: ${ensure}")
+    }
+  }
+}

deployment/puppet/selinux/manifests/params.pp

@@ -0,0 +1,3 @@
+class selinux::params {
+  $sx_mod_dir = '/usr/share/selinux'
+}

deployment/puppet/selinux/tests/disable.pp

@@ -0,0 +1,22 @@
+# Class: 
+#
+# Description
+#
+# Parameters:
+#   
+# Actions:
+#
+# Requires:
+#
+# Sample Usage:
+#
+
+class { 'selinux':
+  mode => 'disabled',
+}
+
+# Also acceptable
+# class { 'selinux':
+#   mode => 'permissive',
+# }
+

deployment/puppet/selinux/tests/enable.pp

@@ -0,0 +1,16 @@
+# Class: 
+#
+# Description
+#
+# Parameters:
+#   
+# Actions:
+#
+# Requires:
+#
+# Sample Usage:
+#
+
+class { 'selinux': 
+  mode => 'enforcing',
+}

deployment/puppet/selinux/tests/module.pp

@@ -0,0 +1,17 @@
+# Class: 
+#
+# Description
+#
+# Parameters:
+#   
+# Actions:
+#
+# Requires:
+#
+# Sample Usage:
+#
+
+selinux::module { 'apache-selinux':
+  ensure => 'present',
+  source => 'puppet:///modules/apache/selinux/apache.te',
+}