3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
# File 'manifests/service.pp', line 3
class selinux::service {
assert_private()
if ($selinux::state == 'disabled') or !$facts['os']['selinux']['enabled'] {
$_aux_service_ensure = 'stopped'
}
else {
# An ensure of 'running' requires selinux to be enabled.
# Final state after reboot will be correct.
$_aux_service_ensure = 'running'
}
if $selinux::manage_mcstrans_service {
if 'systemd' in pick($facts.dig('init_systems') , []) {
# If hidepid is set > 0 and a GID is set, then the service must have that
# GID added to its supplementary groups at start time
if pick($facts.dig('simplib__mountpoints', '/proc', 'options_hash', 'hidepid'), 0) > 0 {
$_proc_gid = $facts.dig('simplib__mountpoints', '/proc', 'options_hash', 'gid')
if $_proc_gid {
simplib::assert_optional_dependency($module_name, 'puppet/systemd')
systemd::dropin_file { "${module_name}_mcstransd_hidepid_add_gid.conf":
unit => "${selinux::mcstrans_service_name}.service",
notify => Service[$selinux::mcstrans_service_name],
content => @("SYSTEMD_OVERRIDE")
[Service]
SupplementaryGroups=${_proc_gid}
| SYSTEMD_OVERRIDE
}
}
}
}
service { $selinux::mcstrans_service_name:
ensure => $_aux_service_ensure,
enable => true,
hasrestart => true,
hasstatus => false,
require => Class['selinux::install']
}
}
if $selinux::manage_restorecond_service {
service { 'restorecond':
ensure => $_aux_service_ensure,
enable => true,
hasrestart => true,
hasstatus => false,
require => Class['selinux::install']
}
}
}
|