SELinux module for Puppet

Build Status Code Coverage Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Defined Types
  6. Development - Guide for contributing to the module
  7. Authors

Overview

This class manages SELinux on RHEL based systems.

Requirements

  • Puppet 3.8.7 or later

Module Description

This module will configure SELinux and/or deploy SELinux based modules to running system.

Get in touch

Known problems / limitations

  • If SELinux is disabled and you want to switch to permissive or enforcing you are required to reboot the system (limitation of SELinux). The module won't do this for you.
  • If you add filecontexts with semange fcontext (what selinux::fcontext does) the order is important. If you add /my/folder before /my/folder/subfolder only /my/folder will match (limitation of SELinux). There is no such limitation to file-contexts defined in SELinux modules. (GH-121)
  • selinux::module only allows to add a type enforcment file (*.te) but no interfaces (*.if) or file-contexts (*.fc).
  • While SELinux is disabled the defined types selinux::boolean, selinux::fcontext, selinux::port will produce puppet agent runtime errors because the used tools fail.
  • selinux::port has the action parameter which if you specify -d or --delete silently does nothing. (GH-164)
  • selinux::permissive allows only to set a domain to permissive but not to remove it. (GH-165)

Usage

There is puppet-strings generated documentation available in the docs/ folder of the github repo.

It will be available at http://voxpupuli.org/pupppet-selinux some time in the future.

Reference

Basic usage

include selinux

This will include the module and allow you to use the provided defined types, but will not modify existing SELinux settings on the system.

More advanced usage

class { selinux:
  mode => 'enforcing',
  type => 'targeted',
}

This will include the module and manage the SELinux mode (possible values are enforcing, permissive, and disabled) and enforcement type (possible values are target, minimum, and mls). Note that disabling SELinux requires a reboot to fully take effect. It will run in permissive mode until then.

Deploy a custom module

selinux::module { 'resnet-puppet':
  ensure => 'present',
  source => 'puppet:///modules/site_puppet/site-puppet.te',
}

Set a boolean value

selinux::boolean { 'puppetagent_manage_all_files': }

Defined Types

  • boolean - Set seboolean values
  • fcontext - Define fcontext types and equals values
  • module - Manage an SELinux module
  • permissive - Set a context to permissive.
  • port - Set selinux port context policies

Development

Things to remember

  • The SELinux tools behave odd when SELinux is disabled
    • semanage requires --noreload while in disabled mode when adding or changing something
    • Only few --list operations work

Facter facts

The fact values might be unexpected while in disabled mode. One could expect the config_mode to be set, but only the boolean enabled is set.

The most important facts:

Fact Fact (old) Mode: disabled Mode: permissive Mode: enforcing
$facts['os']['selinux']['enabled'] $::selinux false true true
$facts['os']['selinux'['config_mode'] $::selinux_config_mode undef Value of SELINUX in /etc/selinux/config Value of SELINUX in /etc/selinux/config
$facts['os']['selinux']['current_mode'] $::selinux_current_mode undef Value of getenforce downcased Value of getenforce downcased

Authors