diff --git a/selinux/manifests/init.pp b/selinux/manifests/init.pp index aa33a80..da30f30 100644 --- a/selinux/manifests/init.pp +++ b/selinux/manifests/init.pp @@ -189,3 +189,88 @@ define selinux::manage_port($type, $proto) { } } + + +# Install new SELinux module +# +# === Parameters +# +# $name: +# Module name +# $source: +# Module source (.te) or compiled file (.pp). +# +# === Sample usage +# +# selinux::module { "munin-local": +# source => "puppet:///files/common/selinux/munin-local.te", +# } +# +define selinux::module($source) { + + $ext = regsubst($source, '.*\.(te|pp)', '\1') + case $ext { + "te": { + include selinux::module::devel + file { "/usr/local/src/selinux/${name}.te": + ensure => present, + source => $source, + mode => "0644", + owner => "root", + group => "root", + require => File["/usr/local/src/selinux"], + notify => Exec["selinux-module-compile"], + } + $module = "/usr/local/src/selinux/${name}.pp" + } + "pp": { + $module = $source + } + default: { + fail("Invalid source '${source}' for selinux::module") + } + } + + file { "/usr/share/selinux/targeted/${name}.pp": + ensure => present, + source => $module, + mode => "0644", + owner => "root", + group => "root", + require => $ext ? { + "te" => Exec["selinux-module-compile"], + default => undef, + }, + } + + selmodule { $name: + ensure => present, + require => File["/usr/share/selinux/targeted/${name}.pp"], + } + +} + + +# Prequisites for compiling SELinux modules +# +class selinux::module::devel { + + include selinux::tools + + file { "/usr/local/src/selinux": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } + + exec { "selinux-module-compile": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "make -f /usr/share/selinux/devel/Makefile", + cwd => "/usr/local/src/selinux", + user => "root", + refreshonly => true, + require => Class["selinux::tools"], + } + +}