Defined Type: selinux::seport

Defined in:
manifests/seport.pp

Overview

Definition: selinux::seport

Adds/removes ports to SELinux security contexts.

Parameters:

  • *$name*: security context name

  • *$ensure*: present/absent

  • *$proto*: tcp/udp

  • *$port*: port number to add/remove from security context

  • *$setype*: specify the selinux type, in case $name can’t be used

Example usage:

# allow apache to bind on port 8001
selinux::seport { "http_port_t":
  ensure => present,
  proto  => "tcp",
  port   => "8001",
  before => Service["apache"],
}

Parameters:

  • port (Any)
  • ensure (Any) (defaults to: 'present')
  • proto (Any) (defaults to: 'tcp')
  • setype (Any) (defaults to: undef) 


23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
# File 'manifests/seport.pp', line 23

define selinux::seport($port, $ensure='present', $proto='tcp', $setype=undef) {

  # this is dreadful to read, sorry...

  if $setype == undef {
    $type = $name
  } else {
    $type = $setype
  }

  if $ensure == 'present' {
    $cmd  = "semanage port --add --type ${type} --proto ${proto} ${port} || semanage port --modify --type ${type} --proto ${proto} ${port}" # lint:ignore:80chars
    $grep = 'egrep -q'
  } else {
    $cmd  = "semanage port --delete --type ${type} --proto ${proto} ${port}"
    $grep = '! egrep -q'
  }

  $re = "^${type}\\W+${proto}\\W+.*\\W${port}(\\W|$)"

  exec { "semanage port ${port}, proto ${proto}, type ${name}":
    path    => $::path,
    command => $cmd,
    # subshell required to invert return status with !
    unless  => "semanage port --list | ( ${grep} '${re}' )",
  }

}