Puppet Class: selinux::config
- Defined in:
- manifests/config.pp
Overview
Class: selinux::config
THIS IS A PRIVATE CLASS
This class is designed to configure the system to use SELinux on the system.
It is included in the main class ::selinux
Config for module building
The module building requires the following file structure:
“‘ $module_build_root/
bin/ # for simple module build script
modules/ # module source files and compiled policies
modules/tmp # repolicy tempfiles (created by scripts)
“‘
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
# File 'manifests/config.pp', line 30
class selinux::config (
$mode = $::selinux::mode,
$type = $::selinux::type,
$manage_package = $::selinux::manage_package,
$package_name = $::selinux::package_name,
Stdlib::Absolutepath $module_build_root = $::selinux::module_build_root
) {
if $caller_module_name != $module_name {
fail("Use of private class ${name} by ${caller_module_name}")
}
if ($mode == 'enforcing' and !$::selinux) {
notice('SELinux is disabled. Forcing configuration to permissive to avoid problems. To disable this warning, explicitly set selinux::mode to permissive or disabled.')
$_real_mode = 'permissive'
} else {
$_real_mode = $mode
}
if $_real_mode {
file_line { "set-selinux-config-to-${_real_mode}":
path => '/etc/selinux/config',
line => "SELINUX=${_real_mode}",
match => '^SELINUX=\w+',
}
case $_real_mode {
'permissive', 'disabled': {
$sestatus = '0'
if $_real_mode == 'disabled' and defined('$::selinux_current_mode') and $::selinux_current_mode == 'permissive' {
notice('A reboot is required to fully disable SELinux. SELinux will operate in Permissive mode until a reboot')
}
}
'enforcing': {
$sestatus = '1'
}
default : {
fail('You must specify a mode (enforced, permissive, or disabled) for selinux operation')
}
}
# a complete relabeling is required when switching from disabled to
# permissive or enforcing. Ensure the autorelabel trigger file is created.
if $_real_mode in ['enforcing','permissive'] and
!$::selinux {
file { '/.autorelabel':
ensure => 'file',
owner => 'root',
group => 'root',
content => "# created by puppet for disabled to ${_real_mode} switch\n",
}
}
exec { "change-selinux-status-to-${_real_mode}":
command => "setenforce ${sestatus}",
unless => "getenforce | grep -Eqi '${_real_mode}|disabled'",
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}
}
if $type {
file_line { "set-selinux-config-type-to-${type}":
path => '/etc/selinux/config',
line => "SELINUXTYPE=${type}",
match => '^SELINUXTYPE=\w+',
}
}
file {$module_build_root:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0755',
}
file {"${module_build_root}/bin":
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0755',
}
# put helper in place:
file {"${module_build_root}/bin/selinux_build_module_simple.sh":
ensure => 'present',
owner => 'root',
group => 'root',
mode => '0755',
source => "puppet:///modules/${module_name}/selinux_build_module_simple.sh",
}
$module_build_dir = "${module_build_root}/modules"
file {$module_build_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
recurse => true,
purge => true,
force => true,
}
# needed by refpolicy builder and our simple builder
file {"${module_build_dir}/tmp":
ensure => 'directory',
selinux_ignore_defaults => true,
}
}
|