1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
# File 'manifests/init.pp', line 1
class selinux ($mode='disabled') inherits selinux::params {
Exec {
path => '/bin:/sbin:/usr/bin:/usr/sbin',
}
package { $selinux::params::selinux_utils:
ensure => present,
}
$current_mode = $::selinux? {
bool2boolstr(false) => 'disabled',
false => 'disabled',
default => $::selinux_current_mode,
}
file { '/etc/selinux/config':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
content => template("${module_name}/config.erb"),
require => Package[$selinux::params::selinux_utils],
}
if($current_mode != $mode)
{
case $mode
{
'enforcing':
{
case $current_mode
{
'disabled':
{
notify { 'Reboot required to enable SELinux': }
}
'permissive':
{
exec { "setenforce ${mode}":
command => 'setenforce 1',
require => Package['libselinux-utils'],
}
}
default: { fail('this shoould not happen') }
}
}
'disabled':
{
case $current_mode
{
'enforcing':
{
notify { 'Reboot required to disable SELinux, setting permissive instead': }
exec { "setenforce ${mode}":
command => 'setenforce 0',
require => Package['libselinux-utils'],
}
}
'permissive':
{
notify { "Reboot required to disable SELinux, current mode: ${current_mode}": }
}
default: { fail('this shoould not happen') }
}
}
'permissive':
{
case $current_mode
{
'enforcing':
{
exec { "setenforce ${mode}":
command => 'setenforce 0',
require => Package['libselinux-utils'],
}
}
'disabled':
{
notify { "Reboot required to enable SELinux, current mode: ${current_mode}": }
}
default: { fail('this shoould not happen') }
}
}
default: { fail('supported modes: enforcing, permissive and disabled') }
}
}
}
|