Puppet Class: selinux

Inherited by:

selinux::refpolicy_package

Defined in:

manifests/init.pp

Overview

Manage SELinux on RHEL based systems.

Examples:

Enable enforcing mode with targeted policy

class { 'selinux':
  mode => 'enforcing',
  type => 'targeted',
}

Parameters:

• package_name (Variant[String[1], Array[String[1]]]) —

  sets the name(s) for the selinux tools package Default value: OS dependent (see data/).

• manage_auditd_package (Boolean) —

  install auditd to log SELinux violations, for OSes that do not have auditd installed by default. Default value: OS dependent (see data/)

• refpolicy_package_name (String) —

  sets the name for the refpolicy development package, required for the refpolicy module builder Default value: OS dependent (see data/)

• mode (Optional[Enum['enforcing', 'permissive', 'disabled']]) (defaults to: undef) —

  sets the operating state for SELinux.

• type (Optional[Enum['targeted', 'minimum', 'mls']]) (defaults to: undef) —

  sets the selinux type

• refpolicy_makefile (Stdlib::Absolutepath) (defaults to: '/usr/share/selinux/devel/Makefile') —

  the path to the system’s SELinux makefile for the refpolicy framework

• manage_package (Boolean) (defaults to: true) —

  manage the package for selinux tools and refpolicy

• auditd_package_name (String[1]) (defaults to: 'auditd') —

  used when ‘manage_auditd_package` is true

• manage_setroubleshoot_packages (Boolean) —

  manage the setroubleshoot packages

• manage_selinux_sandbox_packages (Boolean) —

  manage the selinux sandbox packages

• setroubleshoot_package_names (Array[String]) (defaults to: []) —

  the names of the setroubleshoot packages

• selinux_sandbox_package_names (Array[String]) (defaults to: []) —

  the names of the selinux sandbox packages

• module_build_root (Stdlib::Absolutepath) (defaults to: "${facts['puppet_vardir']}/puppet-selinux") —

  directory where modules are built. Defaults to ‘$vardir/puppet-selinux`

• default_builder (Enum['refpolicy', 'simple']) (defaults to: 'simple') —

  which builder to use by default with selinux::module

• boolean (Optional[Hash]) (defaults to: undef) —

  Hash of selinux::boolean resource parameters

• fcontext (Optional[Hash]) (defaults to: undef) —

  Hash of selinux::fcontext resource parameters

• fcontext_equivalence (Optional[Hash]) (defaults to: undef) —

  Hash of selinux::fcontext::equivalence resource parameters

• module (Optional[Hash]) (defaults to: undef) —

  Hash of selinux::module resource parameters

• permissive (Optional[Hash]) (defaults to: undef) —

  Hash of selinux::module resource parameters

• port (Optional[Hash]) (defaults to: undef) —

  Hash of selinux::port resource parameters

• exec_restorecon (Optional[Hash]) (defaults to: undef) —

  Hash of selinux::exec_restorecon resource parameters

• login (Hash[String[1],Hash[String[1],String[1]]]) (defaults to: {}) —

  Hash of selinux::login resource parameters

# File 'manifests/init.pp', line 37

class selinux (
  Variant[String[1], Array[String[1]]] $package_name,
  Boolean $manage_auditd_package,
  String $refpolicy_package_name,
  Boolean $manage_setroubleshoot_packages,
  Boolean $manage_selinux_sandbox_packages,
  Array[String] $setroubleshoot_package_names                 = [],
  Array[String] $selinux_sandbox_package_names                = [],
  Optional[Enum['enforcing', 'permissive', 'disabled']] $mode = undef,
  Optional[Enum['targeted', 'minimum', 'mls']] $type          = undef,
  Stdlib::Absolutepath $refpolicy_makefile                    = '/usr/share/selinux/devel/Makefile',
  Boolean $manage_package                                     = true,
  String[1] $auditd_package_name                              = 'auditd',
  Stdlib::Absolutepath $module_build_root                     = "${facts['puppet_vardir']}/puppet-selinux",
  Enum['refpolicy', 'simple'] $default_builder                = 'simple',

  Optional[Hash] $boolean              = undef,
  Optional[Hash] $fcontext             = undef,
  Optional[Hash] $fcontext_equivalence = undef,
  Optional[Hash] $module               = undef,
  Optional[Hash] $permissive           = undef,
  Optional[Hash] $port                 = undef,
  Optional[Hash] $exec_restorecon      = undef,
  Hash[String[1],Hash[String[1],String[1]]] $login = {},
) {
  class { 'selinux::package':
    manage_package                  => $manage_package,
    package_names                   => Array.new($package_name, true),
    manage_auditd_package           => $manage_auditd_package,
    auditd_package_name             => $auditd_package_name,
    manage_setroubleshoot_packages  => $manage_setroubleshoot_packages,
    setroubleshoot_package_names    => $setroubleshoot_package_names,
    manage_selinux_sandbox_packages => $manage_selinux_sandbox_packages,
    selinux_sandbox_package_names   => $selinux_sandbox_package_names,
  }

  class { 'selinux::config':
    mode => $mode,
    type => $type,
  }

  if $boolean {
    create_resources ( 'selinux::boolean', $boolean )
  }
  if $fcontext {
    create_resources ( 'selinux::fcontext', $fcontext )
  }
  if $fcontext_equivalence {
    create_resources ( 'selinux::fcontext::equivalence', $fcontext_equivalence )
  }
  if $module {
    create_resources ( 'selinux::module', $module )
  }
  if $permissive {
    create_resources ( 'selinux::permissive', $permissive )
  }
  if $port {
    create_resources ( 'selinux::port', $port )
  }
  if $exec_restorecon {
    create_resources ( 'selinux::exec_restorecon', $exec_restorecon )
  }
  $login.each |$login_name, $login_attributes| {
    selinux::login { $login_name:
      * => $login_attributes,
    }
  }

  # Ordering
  anchor { 'selinux::start': }
  -> Class['selinux::package']
  -> Class['selinux::config']
  -> anchor { 'selinux::module pre': }
  -> anchor { 'selinux::module post': }
  -> anchor { 'selinux::end': }
}