Puppet Class: firewalld::lockdown_whitelist

Defined in:
manifests/lockdown_whitelist.pp

Overview

Class: firewalld::lockdown_whitelist

Defines a lockdown whitelist, which contains selinux contexts, commands, users and user ids that are white-listed when firewalld lockdown feature is enabled. See class firewalld::configuration and firewalld.lockdown-whitelist (5) man page. Also fedoraproject.org/wiki/Features/FirewalldLockdown Result is a /etc/firewalld/lockdown-whitelist.xml file.

Parameters

selinux_contexts

list of strings - security (SELinux) contexts of a running application or service.

commands

list of commands. Command is a string - complete command line including path and also attributes.

users

list of users

users => [{ username => string, mandatory to specify either username or userid userid => string, mandatory to specify either username or userid },…]

Examples

class {'firewalld::lockdown_whitelist':

selinux_contexts => [‘system_u:system_r:NetworkManager_t:s0’,

'system_u:system_r:virtd_t:s0-s0:c0.c1023'],

commands => [‘/usr/bin/python -Es /usr/bin/firewall-config’], users => [{username => ‘me’},],}

Parameters:

  • selinux_contexts (Any) (defaults to: [])
  • commands (Any) (defaults to: [])
  • users (Any) (defaults to: []) 


48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
# File 'manifests/lockdown_whitelist.pp', line 48

class firewalld::lockdown_whitelist(
	$selinux_contexts = [],
	$commands = [],
	$users = [],
) {
	include firewalld::configuration

	if "${users}" != [] {
		# TODO: assert there's one (and only one of) {username, userid}
	}

	file { '/etc/firewalld/lockdown-whitelist.xml':
		content	=> template('firewalld/lockdown-whitelist.xml.erb'),
		owner	=> root,
		group	=> root,
		mode	=> '0644',
		require	=> Package['firewalld'],
		notify	=> Service['firewalld'],
	}
}