Puppet Class: selinux

Inherits:
selinux::params
Defined in:
manifests/init.pp

Overview

Class: selinux

This class manages SELinux on RHEL based systems.

Examples:

Enable enforcing mode with targeted policy

class { 'selinux':
  mode => 'enforcing',
  type => 'targeted',
}

Parameters:

  • mode (Any) (defaults to: $::selinux::params::mode)

    sets the operating state for SELinux. Default value: undef Allowed values: (enforcing|permissive|disabled|undef)

  • type (Any) (defaults to: $::selinux::params::type)

    sets the selinux type Default value: undef Allowed values: (targeted|minimum|mls|undef)

  • sx_mod_dir (Any) (defaults to: $::selinux::params::sx_mod_dir)

    directory where to store puppet managed selinux modules Default value: /usr/share/selinux Allowed values: absolute path

  • makefile (Any) (defaults to: $::selinux::params::makefile)

    the path to the systems SELinux makefile Default value: /usr/share/selinux/devel/Makefile Allowed value: absolute path

  • manage_package (Any) (defaults to: $::selinux::params::manage_package)

    manage the package for selinux tools Default value: true

  • package_name (Any) (defaults to: $::selinux::params::package_name)

    sets the name for the selinux tools package Default value: OS dependent (see params.pp)

  • boolean (Any) (defaults to: undef)

    Hash of selinux::boolean resource parameters

  • fcontext (Any) (defaults to: undef)

    Hash of selinux::fcontext resource parameters

  • module (Any) (defaults to: undef)

    Hash of selinux::module resource parameters

  • permissive (Any) (defaults to: undef)

    Hash of selinux::module resource parameters

  • port (Any) (defaults to: undef)

    Hash of selinux::port resource parameters



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'manifests/init.pp', line 33

class selinux (
  $mode           = $::selinux::params::mode,
  $type           = $::selinux::params::type,
  $sx_mod_dir     = $::selinux::params::sx_mod_dir,
  $makefile       = $::selinux::params::makefile,
  $manage_package = $::selinux::params::manage_package,
  $package_name   = $::selinux::params::package_name,

  ### START Hiera Lookups ###
  $boolean        = undef,
  $fcontext       = undef,
  $module         = undef,
  $permissive     = undef,
  $port           = undef,
  ### END Hiera Lookups ###

) inherits selinux::params {

  $mode_real = $mode ? {
    /\w+/   => $mode,
    default => 'undef',
  }

  $type_real = $type ? {
    /\w+/   => $type,
    default => 'undef',
  }

  validate_absolute_path($sx_mod_dir)
  validate_re($mode_real, ['^enforcing$', '^permissive$', '^disabled$', '^undef$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
  validate_re($type_real, ['^targeted$', '^minimum$', '^mls$', '^undef$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
  validate_string($makefile)
  validate_bool($manage_package)
  validate_string($package_name)

  class { '::selinux::package':
    manage_package => $manage_package,
    package_name   => $package_name,
  }

  class { '::selinux::config': }

  if $boolean {
    create_resources ( 'selinux::boolean', hiera_hash('selinux::boolean') )
  }
  if $fcontext {
    create_resources ( 'selinux::fcontext', hiera_hash('selinux::fcontext') )
  }
  if $module {
    create_resources ( 'selinux::module', hiera_hash('selinux::module') )
  }
  if $permissive {
    create_resources ( 'selinux::fcontext', hiera_hash('selinux::permissive') )
  }
  if $port {
    create_resources ( 'selinux::port', hiera_hash('selinux::port') )
  }

  # Ordering
  anchor { 'selinux::start': } ->
  Class['selinux::package'] ->
  Class['selinux::config'] ->
  anchor { 'selinux::module pre': } ->
  anchor { 'selinux::module post': } ->
  anchor { 'selinux::end': }
}