 613284b444
			
		
	
	613284b444
	
	
	
		
			
			Ensure persistence for SElinux booleans so they still exist after an evental reboot. Default is to false: https://github.com/puppetlabs/puppet/blob/master/lib/puppet/type/selboolean.rb#L21 Also, fix an error in unit tests where context names were switched. Change-Id: I3c9c48fa3aee0b1991780f7250c40aba6e493498
		
			
				
	
	
		
			99 lines
		
	
	
		
			2.4 KiB
		
	
	
	
		
			Puppet
		
	
	
	
	
	
			
		
		
	
	
			99 lines
		
	
	
		
			2.4 KiB
		
	
	
	
		
			Puppet
		
	
	
	
	
	
| #
 | |
| # Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
 | |
| #
 | |
| # Licensed under the Apache License, Version 2.0 (the "License"); you may
 | |
| # not use this file except in compliance with the License. You may obtain
 | |
| # a copy of the License at
 | |
| #
 | |
| #      http://www.apache.org/licenses/LICENSE-2.0
 | |
| #
 | |
| # Unless required by applicable law or agreed to in writing, software
 | |
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 | |
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 | |
| # License for the specific language governing permissions and limitations
 | |
| # under the License.
 | |
| #
 | |
| # == Class: cloud::selinux
 | |
| #
 | |
| # Helper class to configure SELinux on nodes
 | |
| #
 | |
| # === Parameters:
 | |
| #
 | |
| # [*mode*]
 | |
| #   (optional) SELinux mode the system should be in
 | |
| #   Defaults to 'permissive'
 | |
| #   Possible values : disabled, permissive, enforcing
 | |
| #
 | |
| # [*directory*]
 | |
| #   (optional) Path where to find the SELinux modules
 | |
| #   Defaults to '/usr/share/selinux'
 | |
| #
 | |
| # [*booleans*]
 | |
| #   (optional) Set of booleans to persistently enables
 | |
| #   SELinux booleans are the one getsebool -a returns
 | |
| #   Defaults []
 | |
| #   Example: ['rsync_full_access', 'haproxy_connect_any']
 | |
| #
 | |
| # [*modules*]
 | |
| #   (optional) Set of modules to load on the system
 | |
| #   Defaults []
 | |
| #   Example: ['module1', 'module2']
 | |
| #   Note: Those module should be in the $directory path
 | |
| #
 | |
| class cloud::selinux (
 | |
|   $mode      = 'permissive',
 | |
|   $directory = '/usr/share/selinux/',
 | |
|   $booleans  = [],
 | |
|   $modules   = [],
 | |
| ) {
 | |
| 
 | |
|   if $::osfamily != 'RedHat'  {
 | |
|     fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS")
 | |
|   }
 | |
| 
 | |
|   Selboolean {
 | |
|     persistent => true,
 | |
|     value      => 'on',
 | |
|   }
 | |
| 
 | |
|   Selmodule {
 | |
|     ensure       => present,
 | |
|     selmoduledir => $directory,
 | |
|   }
 | |
| 
 | |
|   file { '/etc/selinux/config':
 | |
|     ensure  => present,
 | |
|     mode    => '0444',
 | |
|     content => template('cloud/selinux/sysconfig_selinux.erb')
 | |
|   }
 | |
| 
 | |
|   $current_mode = $::selinux? {
 | |
|     'false' => 'disabled',
 | |
|     false   => 'disabled',
 | |
|     default => $::selinux_current_mode,
 | |
|   }
 | |
| 
 | |
|   if $current_mode != $mode {
 | |
|     case $mode {
 | |
|       /^(disabled|permissive)$/: {
 | |
|         if $current_mode == 'enforcing' {
 | |
|           exec { 'setenforce 0': }
 | |
|         }
 | |
|       }
 | |
|       'enforcing': {
 | |
|         exec { 'setenforce 1': }
 | |
|       }
 | |
|       default: {
 | |
|         fail('You must specify a mode (enforcing, permissive, or disabled)')
 | |
|       }
 | |
|     }
 | |
|   }
 | |
| 
 | |
|   selboolean { $booleans :
 | |
|     persistent => true,
 | |
|   }
 | |
|   selmodule { $modules: }
 | |
| 
 | |
| }
 | |
| 
 |