Puppet Class: psick::selinux

Defined in:
manifests/selinux.pp

Overview

This class manages selinux basic configuration

Parameters:

  • selinux_file_template (String) (defaults to: 'psick/selinux/selinux.epp')

    The path of the template (with erb or epp suffix) to use for the content of /etc/selinux/config. If empty or selinux is missing the file is not managed.

  • state (Enum['enforcing','permissive','disabled']) (defaults to: 'enforcing')

    The value of the SELINUX parameter in /etc/selinux/config

  • type (Enum['targeted','minimum','mls','default','src']) (defaults to: 'targeted')

    The value of the SELINUXTYPE parameter in /etc/selinux/config

  • selinux_dir_source (String) (defaults to: '')

    The source of the contents of /etc/selinux dir (format: puppet:///modules/…) If empty or selinux is missing the dir is not managed.

  • selinux_dir_recurse (Boolean) (defaults to: true)

    The recurse param of the /etc/selinux dir resource

  • selinux_dir_force (Boolean) (defaults to: true)

    The force param of the /etc/selinux dir resource

  • selinux_dir_purge (Boolean) (defaults to: false)

    The purge param of the /etc/selinux dir resource

  • manage (Boolean) (defaults to: $psick::manage)

    If to actually manage any resource in this class. If false no resource is managed. Default value is taken from main psick class.

  • noop_manage (Boolean) (defaults to: $psick::noop_manage)

    If to use the noop() function for all the resources provided by this class. If this is true the noop function is called with $noop_value argument. This overrides any other noop setting (either set on client’s puppet.conf or by noop() function in main psick class). Default from psick class.

  • noop_value (Boolean) (defaults to: $psick::noop_value)

    The value to pass to noop() function if noop_manage is true. It applies to all the resources (and classes) declared in this class If true: noop metaparamenter is set to true, resources are not applied If false: noop metaparameter is set to false, and any eventual noop setting is overridden: resources are always applied. Default from psick class.

  • setlocaldefs (Enum['0','1']) (defaults to: '0')


28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'manifests/selinux.pp', line 28

class psick::selinux (
  Enum['enforcing','permissive','disabled'] $state       = 'enforcing',
  Enum['targeted','minimum','mls','default','src'] $type = 'targeted',
  Enum['0','1'] $setlocaldefs        = '0',
  String $selinux_file_template      = 'psick/selinux/selinux.epp',
  String $selinux_dir_source         = '', # lint:ignore:params_empty_string_assignment
  Boolean $selinux_dir_recurse       = true,
  Boolean $selinux_dir_force         = true,
  Boolean $selinux_dir_purge         = false,
  Boolean $manage                    = $psick::manage,
  Boolean $noop_manage               = $psick::noop_manage,
  Boolean $noop_value                = $psick::noop_value,
) {
  if $manage {
    if $noop_manage {
      noop($noop_value)
    }

    $selinux_params = {
      state         => $state,
      type          => $type,
      setlocaldefs  => $setlocaldefs,
    }
    if getvar('selinux') == true {
      $setenforce_notify = Exec['psick_selinux_setenforce']
    } else {
      $setenforce_notify = undef
    }
    if getvar('selinux')!= undef and $selinux_file_template != '' {
      file { '/etc/selinux/config':
        ensure  => file,
        content => psick::template($selinux_file_template,$selinux_params),
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
        notify  => $setenforce_notify,
      }
    }
    if getvar('selinux') != undef and $selinux_dir_source != '' {
      file { '/etc/selinux':
        ensure  => directory,
        source  => $selinux_dir_source,
        recurse => $selinux_dir_recurse,
        force   => $selinux_dir_force,
        purge   => $selinux_dir_purge,
        owner   => 'root',
        group   => 'root',
        notify  => $setenforce_notify,
      }
    }

    $setenforce_status = $state ? {
      'permissive' => '0',
      'disabled'   => '0',
      'enforcing'  => '1',
    }

    exec { 'psick_selinux_setenforce':
      command     => "setenforce ${setenforce_status}",
      path        => $facts['path'],
      refreshonly => true,
    }

    # Relabeling required when switching from disabled to permissive or enforcing.
    if $state in ['enforcing','permissive'] and $facts['os']['selinux']['enabled'] == false {
      file { '/.autorelabel':
        ensure  => 'file',
        owner   => 'root',
        group   => 'root',
        content => "# Created by Puppet for disabled to ${state} SELinux switch\n",
      }
    }
    if $state in ['disabled'] and $facts['os']['selinux']['enabled'] == true {
      notify { 'Reboot needed':
        message => 'You need to reboot the system to fully disable SElinux. Now operating in permissive mode',
      }
    }
  }
}