Added support for setting SELinux mode.

2010-10-01 23:04:52 +03:00 · 2010-10-01 23:04:52 +03:00 · e76a2259e0
commit e76a2259e0
parent 94fdb8825b
2 changed files with 74 additions and 0 deletions
--- a/selinux/manifests/init.pp
+++ b/selinux/manifests/init.pp
@ -1,4 +1,68 @@

+# Install SELinux prequisites
+#
+# === Global variables
+#
+#   $selinux_type:
+#       SELinux mode to use. Valid values are enforcing, permissive and
+#       disabled. Defaults to permissive.
+#
+class selinux {
+
+    if $kernel != "Linux" {
+        fail("SELinux supported only on Linux systems")
+    }
+    
+    if ! $selinux_type {
+        $selinux_type = "permissive"
+    }
+    case $selinux_type {
+        "enforcing":  {}
+        "permissive": {}
+        "disabled":   {}
+        default:      { fail("Invalid SELinux mode ${selinux_type}") }
+    }
+    
+    package { [ "selinux-policy-targeted", "setroubleshoot" ]:
+        ensure => installed,
+    }
+    
+    file { "/etc/selinux/config":
+        ensure  => present,
+        content => template("selinux/config.erb"),
+        mode    => 0644,
+        owner   => root,
+        group   => root,
+        require => Package["selinux-policy-targeted"],
+        notify  => Exec["set-selinux-mode"],
+    }
+    
+    service { "setroubleshoot":
+        ensure    => $selinux_type ? {
+            disabled => stopped,
+            default  => running,
+        },
+        enable    => $selinux_type ? {
+            disabled => false,
+            default  => true,
+        },
+        hasstatus => true,
+        require   => Package["setroubleshoot"],
+    }
+
+    exec { "set-selinux-mode":
+        command => $selinux_type ? {
+            "enforcing"  => "setenforce 1",
+            "permissive" => "setenforce 0",
+            "disabled"   => "/bin/true",
+        },
+        path    => "/bin:/usr/bin:/sbin:/usr/sbin",
+        unless  => "getenforce | egrep -i '${selinux_type}'",
+        require => file["/etc/selinux/config"],
+    }
+    
+}
+
 # Set SELinux boolean value
 #
 # === Parameters
--- a/selinux/templates/config.erb
+++ b/selinux/templates/config.erb
@ -0,0 +1,10 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - SELinux is fully disabled.
+SELINUX=<%= selinux_type %>
+# SELINUXTYPE= type of policy in use. Possible values are:
+#       targeted - Only targeted network daemons are protected.
+#       strict - Full SELinux protection.
+SELINUXTYPE=targeted