diff --git a/selinux/manifests/init.pp b/selinux/manifests/init.pp index 2aba211..21eaee1 100644 --- a/selinux/manifests/init.pp +++ b/selinux/manifests/init.pp @@ -63,8 +63,35 @@ class selinux { require => File["/etc/selinux/config"], } + include selinux::tools + } + +# Install tools for managing SELinux +# +class selinux::tools { + + case $operatingsystem { + "fedora": { $package = "policycoreutils-python" } + "centos": { + case $operatingsystemrelease { + /^6/: { $package = "policycoreutils-python" } + default: { $package = "policycoreutils" } + } + } + default: { + fail("selinux::tools not supported on ${operatingsystem}") + } + } + + package { $package: + ensure => installed, + } + +} + + # Set SELinux boolean value # # === Parameters @@ -109,10 +136,13 @@ define selinux::boolean($value) { # define selinux::manage_fcontext($type, $recurse = true) { + include selinux::tools + exec { "semanage fcontext -a -t '${type}' '${name}'": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - unless => "matchpathcon `echo '${name}' | sed -e 's/(.*$//'` | egrep -q ':${type}(:s[0-9]*)?$'", - notify => Exec["restorecon ${name}"], + path => "/bin:/usr/bin:/sbin:/usr/sbin", + unless => "matchpathcon `echo '${name}' | sed -e 's/(.*$//'` | egrep -q ':${type}(:s[0-9]*)?$'", + notify => Exec["restorecon ${name}"], + require => Class["selinux::tools"], } if $recurse { @@ -150,9 +180,12 @@ define selinux::manage_fcontext($type, $recurse = true) { # define selinux::manage_port($type, $proto) { + include selinux::tools + exec { "semanage port -a -t ${type} -p ${proto} ${name}": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - unless => "semanage port -ln | egrep '^${type}[ ]*${proto}' | egrep ' ${name}(,.*)?\$'", + path => "/bin:/usr/bin:/sbin:/usr/sbin", + unless => "semanage port -ln | egrep '^${type}[ ]*${proto}' | egrep ' ${name}(,.*)?\$'", + require => Class["selinux::tools"], } }