Added support for compiling and installing custom SELinux modules.

2012-04-27 14:59:28 +03:00 · 2012-04-27 14:59:28 +03:00 · ca9aa3c997
commit ca9aa3c997
parent 1a5ff54588
1 changed files with 85 additions and 0 deletions
--- a/selinux/manifests/init.pp
+++ b/selinux/manifests/init.pp
@ -189,3 +189,88 @@ define selinux::manage_port($type, $proto) {
    }
 }
 # Install new SELinux module
 #
 # === Parameters
 #
 #   $name:
 #       Module name
 #   $source:
 #       Module source (.te) or compiled file (.pp).
 #
 # === Sample usage
 #
 # selinux::module { "munin-local":
 #     source => "puppet:///files/common/selinux/munin-local.te",
 # }
 #
 define selinux::module($source) {
    $ext = regsubst($source, '.*\.(te|pp)', '\1')
    case $ext {
        "te": {
            include selinux::module::devel
            file { "/usr/local/src/selinux/${name}.te":
                ensure  => present,
                source  => $source,
                mode    => "0644",
                owner   => "root",
                group   => "root",
                require => File["/usr/local/src/selinux"],
                notify  => Exec["selinux-module-compile"],
            }
            $module = "/usr/local/src/selinux/${name}.pp"
        }
        "pp": {
            $module = $source
        }
        default: {
            fail("Invalid source '${source}' for selinux::module")
        }
    }
    file { "/usr/share/selinux/targeted/${name}.pp":
        ensure  => present,
        source  => $module,
        mode    => "0644",
        owner   => "root",
        group   => "root",
        require => $ext ? {
          "te"    => Exec["selinux-module-compile"],
          default => undef,
        },
    }
    selmodule { $name:
        ensure  => present,
        require => File["/usr/share/selinux/targeted/${name}.pp"],
    }
 }
 # Prequisites for compiling SELinux modules
 #
 class selinux::module::devel {
    include selinux::tools
    file { "/usr/local/src/selinux":
        ensure => directory,
        mode   => "0755",
        owner  => "root",
        group  => "root",
    }
    exec { "selinux-module-compile":
        path        => "/bin:/usr/bin:/sbin:/usr/sbin",
        command     => "make -f /usr/share/selinux/devel/Makefile",
        cwd         => "/usr/local/src/selinux",
        user        => "root",
        refreshonly => true,
        require     => Class["selinux::tools"],
    }
 }