From e76a2259e088f8881679e5788034871d2d5ca086 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Fri, 1 Oct 2010 23:04:52 +0300
Subject: [PATCH] Added support for setting SELinux mode.

---
 selinux/manifests/init.pp    | 64 ++++++++++++++++++++++++++++++++++++
 selinux/templates/config.erb | 10 ++++++
 2 files changed, 74 insertions(+)
 create mode 100644 selinux/templates/config.erb

diff --git a/selinux/manifests/init.pp b/selinux/manifests/init.pp
index b6b2f29..2249e01 100644
--- a/selinux/manifests/init.pp
+++ b/selinux/manifests/init.pp
@@ -1,4 +1,68 @@
 
+# Install SELinux prequisites
+#
+# === Global variables
+#
+#   $selinux_type:
+#       SELinux mode to use. Valid values are enforcing, permissive and
+#       disabled. Defaults to permissive.
+#
+class selinux {
+
+    if $kernel != "Linux" {
+        fail("SELinux supported only on Linux systems")
+    }
+    
+    if ! $selinux_type {
+        $selinux_type = "permissive"
+    }
+    case $selinux_type {
+        "enforcing":  {}
+        "permissive": {}
+        "disabled":   {}
+        default:      { fail("Invalid SELinux mode ${selinux_type}") }
+    }
+    
+    package { [ "selinux-policy-targeted", "setroubleshoot" ]:
+        ensure => installed,
+    }
+    
+    file { "/etc/selinux/config":
+        ensure  => present,
+        content => template("selinux/config.erb"),
+        mode    => 0644,
+        owner   => root,
+        group   => root,
+        require => Package["selinux-policy-targeted"],
+        notify  => Exec["set-selinux-mode"],
+    }
+    
+    service { "setroubleshoot":
+        ensure    => $selinux_type ? {
+            disabled => stopped,
+            default  => running,
+        },
+        enable    => $selinux_type ? {
+            disabled => false,
+            default  => true,
+        },
+        hasstatus => true,
+        require   => Package["setroubleshoot"],
+    }
+
+    exec { "set-selinux-mode":
+        command => $selinux_type ? {
+            "enforcing"  => "setenforce 1",
+            "permissive" => "setenforce 0",
+            "disabled"   => "/bin/true",
+        },
+        path    => "/bin:/usr/bin:/sbin:/usr/sbin",
+        unless  => "getenforce | egrep -i '${selinux_type}'",
+        require => file["/etc/selinux/config"],
+    }
+    
+}
+
 # Set SELinux boolean value
 #
 # === Parameters
diff --git a/selinux/templates/config.erb b/selinux/templates/config.erb
new file mode 100644
index 0000000..1eb2fe6
--- /dev/null
+++ b/selinux/templates/config.erb
@@ -0,0 +1,10 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - SELinux is fully disabled.
+SELINUX=<%= selinux_type %>
+# SELINUXTYPE= type of policy in use. Possible values are:
+#       targeted - Only targeted network daemons are protected.
+#       strict - Full SELinux protection.
+SELINUXTYPE=targeted