Puppet Class: selinux

Defined in:
manifests/init.pp

Overview

Parameters:

  • package_ensure (String) (defaults to: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' }))

    The ensure status of packages to be installed

  • login_resources (Optional[Hash]) (defaults to: undef)

    A hash of resources that should be created on the system as expected by ‘create_resources()` called on the `selinux_login` type

    A deep merge strategy is used when performing APL lookups on this value by default.

    @example Change __default__ to user_u

    ---
selinux::login_resources:
  "__default__":
    seuser: user_u
    mls_range: s0
  "%admins":
    seuser: staff_u
    # This only works if you enable mcstransd
    # using selinux::manage_mcstrans_service: true
    mls_range: "SystemLow-SystemHigh"
  • manage_mcstrans_package (Boolean)
  • manage_mcstrans_service (Boolean)
  • mcstrans_package_name (String)
  • mcstrans_service_name (String)
  • manage_restorecond_package (Boolean)
  • manage_restorecond_service (Boolean)
  • restorecond_package_name (String)
  • ensure (Selinux::State) (defaults to: 'enforcing')
  • kernel_enforce (Boolean) (defaults to: false)
  • autorelabel (Boolean) (defaults to: false)
  • manage_utils_package (Boolean) (defaults to: true)
  • mode (Enum['targeted','mls']) (defaults to: 'targeted') 


62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'manifests/init.pp', line 62

class selinux (
  # defaults are in module data
  Boolean                $manage_mcstrans_package,
  Boolean                $manage_mcstrans_service,
  String                 $mcstrans_package_name,
  String                 $mcstrans_service_name,
  Boolean                $manage_restorecond_package,
  Boolean                $manage_restorecond_service,
  String                 $restorecond_package_name,
  Selinux::State         $ensure                      = 'enforcing',
  Boolean                $kernel_enforce              = false,
  Boolean                $autorelabel                 = false,
  Boolean                $manage_utils_package        = true,
  String                 $package_ensure              = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' }),
  Enum['targeted','mls'] $mode                        = 'targeted',
  Optional[Hash]         $login_resources             = undef
) {

  $state = $ensure ? {
    true    => 'enforcing',
    false   => 'disabled',
    default => $ensure
  }

  contain 'selinux::install'
  contain 'selinux::config'
  contain 'selinux::service'
  contain 'vox_selinux'

  Class['selinux::install']
  -> Class['selinux::config']
  ~> Class['selinux::service']

  if $login_resources {
    if $facts['os']['selinux']['current_mode'] and ($facts['os']['selinux']['current_mode'] != 'disabled') {
      create_resources('selinux_login', $login_resources)
    }
  }
}