Puppet Class: psick::selinux

Defined in:: manifests/selinux.pp

Overview

This class manages selinux basic configuration

Parameters:

manage (Boolean) (defaults to: $::psick::manage) —

If to actually manage any resource in this profile or not#
selinux_file_template (String) (defaults to: 'psick/selinux/selinux.epp') —

The path of the template (with erb or epp suffix) to use for the content of /etc/selinux/config. If empty or selinux is missing the file is not managed.
state (Enum['enforcing','permissive','disabled']) (defaults to: 'enforcing') —

The value of the SELINUX parameter in /etc/selinux/config
type (Enum['targeted','minimum','mls','default','src']) (defaults to: 'targeted') —

The value of the SELINUXTYPE parameter in /etc/selinux/config
selinux_dir_source (String) (defaults to: '') —

The source of the contents of /etc/selinux dir (format: puppet:///modules/…) If empty or selinux is missing the dir is not managed.
selinux_dir_recurse (Boolean) (defaults to: true) —

The recurse param of the /etc/selinux dir resource
selinux_dir_force (Boolean) (defaults to: true) —

The force param of the /etc/selinux dir resource
selinux_dir_purge (Boolean) (defaults to: false) —

The purge param of the /etc/selinux dir resource
no_noop (Boolean) (defaults to: false) —

Set noop metaparameter to false to all the resources of this class.
setlocaldefs (Enum['0','1']) (defaults to: '0')

# File 'manifests/selinux.pp', line 17

class psick::selinux (
  Boolean $manage                    = $::psick::manage,
  Enum['enforcing','permissive','disabled'] $state       = 'enforcing',
  Enum['targeted','minimum','mls','default','src'] $type = 'targeted',
  Enum['0','1'] $setlocaldefs        = '0',
  String $selinux_file_template      = 'psick/selinux/selinux.epp',
  String $selinux_dir_source         = '',
  Boolean $selinux_dir_recurse       = true,
  Boolean $selinux_dir_force         = true,
  Boolean $selinux_dir_purge         = false,
  Boolean         $no_noop           = false,
) {
  if $manage {
    if !$::psick::noop_mode and $no_noop {
      info('Forced no-noop mode in psick::icinga2')
      noop(false)
    }
    $selinux_params = {
      state         => $state,
      type          => $type,
      setlocaldefs  => $setlocaldefs,
    }
    if getvar('selinux') == true {
      $setenforce_notify = Exec['psick_selinux_setenforce']
    } else {
      $setenforce_notify = undef
    }
    if getvar('selinux')!= undef and $selinux_file_template != '' {
      file { '/etc/selinux/config':
        ensure  => present,
        content => psick::template($selinux_file_template,$selinux_params),
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
        notify  => $setenforce_notify,
      }
    }
    if getvar('selinux') != undef and $selinux_dir_source != '' {
      file { '/etc/selinux':
        ensure  => directory,
        source  => $selinux_dir_source,
        recurse => $selinux_dir_recurse,
        force   => $selinux_dir_force,
        purge   => $selinux_dir_purge,
        owner   => 'root',
        group   => 'root',
        notify  => $setenforce_notify,
      }
    }

    $setenforce_status = $state ? {
      'permissive' => '0',
      'disabled'   => '0',
      'enforcing'  => '1',
    }

    exec { 'psick_selinux_setenforce':
      command     => "setenforce ${setenforce_status}",
      path        => $::path,
      refreshonly => true,
    }

    # Relabeling required when switching from disabled to permissive or enforcing.
    if $state in ['enforcing','permissive'] and $facts['selinux'] == false {
      file { '/.autorelabel':
        ensure  => 'file',
        owner   => 'root',
        group   => 'root',
        content => "# Created by Puppet for disabled to ${state} SELinux switch\n",
      }
    }
    if $state in ['disabled'] and $facts['selinux'] == true {
      notify { 'Reboot needed':
        message => 'You need to reboot the system to fully disable SElinux. Now operating in permissive mode',
      }
    }
  }
}