Added check if selinux is enabled into selinux::* defines.
This commit is contained in:
parent
3888a337f8
commit
347ce1c2c2
1 changed files with 68 additions and 56 deletions
|
|
@ -136,25 +136,29 @@ define selinux::boolean($value) {
|
||||||
#
|
#
|
||||||
define selinux::manage_fcontext($type, $recurse = true) {
|
define selinux::manage_fcontext($type, $recurse = true) {
|
||||||
|
|
||||||
include selinux::tools
|
if "${selinux}" == "true" {
|
||||||
|
|
||||||
exec { "semanage fcontext -a -t '${type}' '${name}'":
|
include selinux::tools
|
||||||
path => "/bin:/usr/bin:/sbin:/usr/sbin",
|
|
||||||
unless => "matchpathcon `echo '${name}' | sed -e 's/(.*$//'` | egrep -q ':${type}(:s[0-9]*)?$'",
|
|
||||||
notify => Exec["restorecon ${name}"],
|
|
||||||
require => Class["selinux::tools"],
|
|
||||||
}
|
|
||||||
|
|
||||||
if $recurse {
|
exec { "semanage fcontext -a -t '${type}' '${name}'":
|
||||||
$restorecon_opts = "-R"
|
path => "/bin:/usr/bin:/sbin:/usr/sbin",
|
||||||
} else {
|
unless => "matchpathcon `echo '${name}' | sed -e 's/(.*$//'` | egrep -q ':${type}(:s[0-9]*)?$'",
|
||||||
$restorecon_opts = ""
|
notify => Exec["restorecon ${name}"],
|
||||||
}
|
require => Class["selinux::tools"],
|
||||||
|
}
|
||||||
|
|
||||||
|
if $recurse {
|
||||||
|
$restorecon_opts = "-R"
|
||||||
|
} else {
|
||||||
|
$restorecon_opts = ""
|
||||||
|
}
|
||||||
|
|
||||||
|
exec { "restorecon ${name}":
|
||||||
|
command => "restorecon -i ${restorecon_opts} `echo '${name}' | sed -e 's/(.*$//'`",
|
||||||
|
path => "/bin:/usr/bin:/sbin:/usr/sbin",
|
||||||
|
refreshonly => true,
|
||||||
|
}
|
||||||
|
|
||||||
exec { "restorecon ${name}":
|
|
||||||
command => "restorecon -i ${restorecon_opts} `echo '${name}' | sed -e 's/(.*$//'`",
|
|
||||||
path => "/bin:/usr/bin:/sbin:/usr/sbin",
|
|
||||||
refreshonly => true,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
@ -180,12 +184,16 @@ define selinux::manage_fcontext($type, $recurse = true) {
|
||||||
#
|
#
|
||||||
define selinux::manage_port($type, $proto) {
|
define selinux::manage_port($type, $proto) {
|
||||||
|
|
||||||
include selinux::tools
|
if "${selinux}" == "true" {
|
||||||
|
|
||||||
|
include selinux::tools
|
||||||
|
|
||||||
|
exec { "semanage port -a -t ${type} -p ${proto} ${name}":
|
||||||
|
path => "/bin:/usr/bin:/sbin:/usr/sbin",
|
||||||
|
unless => "semanage port -ln | egrep '^${type}[ ]*${proto}' | egrep ' ${name}(,.*)?\$'",
|
||||||
|
require => Class["selinux::tools"],
|
||||||
|
}
|
||||||
|
|
||||||
exec { "semanage port -a -t ${type} -p ${proto} ${name}":
|
|
||||||
path => "/bin:/usr/bin:/sbin:/usr/sbin",
|
|
||||||
unless => "semanage port -ln | egrep '^${type}[ ]*${proto}' | egrep ' ${name}(,.*)?\$'",
|
|
||||||
require => Class["selinux::tools"],
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
@ -208,45 +216,49 @@ define selinux::manage_port($type, $proto) {
|
||||||
#
|
#
|
||||||
define selinux::module($source) {
|
define selinux::module($source) {
|
||||||
|
|
||||||
$ext = regsubst($source, '.*\.(te|pp)', '\1')
|
if "${selinux}" == "true" {
|
||||||
case $ext {
|
|
||||||
"te": {
|
$ext = regsubst($source, '.*\.(te|pp)', '\1')
|
||||||
include selinux::module::devel
|
case $ext {
|
||||||
file { "/usr/local/src/selinux/${name}.te":
|
"te": {
|
||||||
ensure => present,
|
include selinux::module::devel
|
||||||
source => $source,
|
file { "/usr/local/src/selinux/${name}.te":
|
||||||
mode => "0644",
|
ensure => present,
|
||||||
owner => "root",
|
source => $source,
|
||||||
group => "root",
|
mode => "0644",
|
||||||
require => File["/usr/local/src/selinux"],
|
owner => "root",
|
||||||
notify => Exec["selinux-module-compile"],
|
group => "root",
|
||||||
|
require => File["/usr/local/src/selinux"],
|
||||||
|
notify => Exec["selinux-module-compile"],
|
||||||
|
}
|
||||||
|
$module = "/usr/local/src/selinux/${name}.pp"
|
||||||
|
}
|
||||||
|
"pp": {
|
||||||
|
$module = $source
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
fail("Invalid source '${source}' for selinux::module")
|
||||||
}
|
}
|
||||||
$module = "/usr/local/src/selinux/${name}.pp"
|
|
||||||
}
|
}
|
||||||
"pp": {
|
|
||||||
$module = $source
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
fail("Invalid source '${source}' for selinux::module")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
file { "/usr/share/selinux/targeted/${name}.pp":
|
file { "/usr/share/selinux/targeted/${name}.pp":
|
||||||
ensure => present,
|
ensure => present,
|
||||||
source => $module,
|
source => $module,
|
||||||
mode => "0644",
|
mode => "0644",
|
||||||
owner => "root",
|
owner => "root",
|
||||||
group => "root",
|
group => "root",
|
||||||
require => $ext ? {
|
require => $ext ? {
|
||||||
"te" => Exec["selinux-module-compile"],
|
"te" => Exec["selinux-module-compile"],
|
||||||
default => undef,
|
default => undef,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
selmodule { $name:
|
||||||
|
ensure => present,
|
||||||
|
require => File["/usr/share/selinux/targeted/${name}.pp"],
|
||||||
|
syncversion => true,
|
||||||
|
}
|
||||||
|
|
||||||
selmodule { $name:
|
|
||||||
ensure => present,
|
|
||||||
require => File["/usr/share/selinux/targeted/${name}.pp"],
|
|
||||||
syncversion => true,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue