Defined Type: selinux::port

Defined in:
manifests/port.pp

Summary

Manage a SELinux local network port context setting

Overview

This method will manage a local network port context setting, and will persist it across reboots.

Examples:

Add port-context syslogd_port_t to port 8514/tcp

selinux::port { 'allow-syslog-relp':
  ensure   => 'present',
  seltype  => 'syslogd_port_t',
  protocol => 'tcp',
  port     => 8514,
}

Parameters:

  • ensure (Enum['present', 'absent']) (defaults to: 'present')

    Set to present to add or absent to remove a port context.

  • seltype (String)

    An SELinux port type

  • protocol (Enum['tcp', 'udp'])

    Either ‘tcp’, ‘udp’, ‘ipv4’ or ‘ipv6’

  • port (Optional[Integer[1,65535]]) (defaults to: undef)

    A network port number, like 8514,

  • port_range (Optional[Tuple[Integer[1,65535], 2, 2]]) (defaults to: undef)

    A port-range tuple, eg. [9090, 9095].



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'manifests/port.pp', line 20

define selinux::port (
  String                             $seltype,
  Enum['tcp', 'udp']                 $protocol,
  Optional[Integer[1,65535]]         $port = undef,
  Optional[Tuple[Integer[1,65535], 2, 2]] $port_range = undef,
  Enum['present', 'absent']          $ensure = 'present',
) {
  include selinux

  if $ensure == 'present' {
    Anchor['selinux::module post']
    -> Selinux::Port[$title]
    -> Anchor['selinux::end']
  } elsif $ensure == 'absent' {
    Class['selinux::config']
    -> Selinux::Port[$title]
    -> Anchor['selinux::module pre']
  } else {
    fail('Unexpected $ensure value')
  }

  if ($port == undef and $port_range == undef) {
    fail("You must define either 'port' or 'port_range'")
  }
  if ($port != undef and $port_range != undef) {
    fail("You can't define both 'port' and 'port_range'")
  }

  $range = $port_range ? {
    undef   => [$port, $port],
    default => $port_range,
  }

  # this can only happen if port_range is used
  if $range[0] > $range[1] {
    fail("Malformed port range: ${port_range}")
  }

  # Do nothing unless SELinux is enabled
  if $facts['os']['selinux']['enabled'] {
    selinux_port { "${protocol}_${range[0]}-${range[1]}":
      ensure    => $ensure,
      low_port  => $range[0],
      high_port => $range[1],
      seltype   => $seltype,
      protocol  => $protocol,
    }
  }
}