SELinux module for Puppet
Table of Contents
- Overview
- Module Description - What the module does and why it is useful
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Defined Types
- Development - Guide for contributing to the module
- Authors
Overview
This class manages SELinux on RHEL based systems.
Requirements
- Puppet 3.8.7 or later
Module Description
This module will configure SELinux and/or deploy SELinux based modules to running system.
Get in touch
- IRC: #voxpupuli on irc.freenode.net (Freenode WebChat)
- Mailinglist: voxpupuli@groups.io (groups.io Webinterface)
Known problems / limitations
- If SELinux is disabled and you want to switch to permissive or enforcing you are required to reboot the system (limitation of SELinux). The module won't do this for you.
- If you add filecontexts with
semange fcontext
(whatselinux::fcontext
does) the order is important. If you add /my/folder before /my/folder/subfolder only /my/folder will match (limitation of SELinux). There is no such limitation to file-contexts defined in SELinux modules. (GH-121) selinux::module
only allows to add a type enforcment file (*.te
) but no interfaces (*.if
) or file-contexts (*.fc
).- While SELinux is disabled the defined types
selinux::boolean
,selinux::fcontext
,selinux::port
will produce puppet agent runtime errors because the used tools fail. selinux::port
has theaction
parameter which if you specify-d
or--delete
silently does nothing. (GH-164)selinux::permissive
allows only to set a domain to permissive but not to remove it. (GH-165)
Usage
There is puppet-strings generated documentation available in the docs/ folder of the github repo.
It will be available at http://voxpupuli.org/pupppet-selinux some time in the future.
Reference
Basic usage
include selinux
This will include the module and allow you to use the provided defined types, but will not modify existing SELinux settings on the system.
More advanced usage
class { selinux:
mode => 'enforcing',
type => 'targeted',
}
This will include the module and manage the SELinux mode (possible values are
enforcing
, permissive
, and disabled
) and enforcement type (possible values
are target
, minimum
, and mls
). Note that disabling SELinux requires a reboot
to fully take effect. It will run in permissive
mode until then.
Deploy a custom module
selinux::module { 'resnet-puppet':
ensure => 'present',
source => 'puppet:///modules/site_puppet/site-puppet.te',
}
Set a boolean value
selinux::boolean { 'puppetagent_manage_all_files': }
Defined Types
boolean
- Set seboolean valuesfcontext
- Define fcontext types and equals valuesmodule
- Manage an SELinux modulepermissive
- Set a context topermissive
.port
- Set selinux port context policies
Development
Things to remember
- The SELinux tools behave odd when SELinux is disabled
semanage
requires--noreload
while in disabled mode when adding or changing something- Only few
--list
operations work
Facter facts
The fact values might be unexpected while in disabled mode. One could expect
the config_mode to be set, but only the boolean enabled
is set.
The most important facts:
Fact | Fact (old) | Mode: disabled | Mode: permissive | Mode: enforcing |
---|---|---|---|---|
$facts['os']['selinux']['enabled'] |
$::selinux |
false | true | true |
$facts['os']['selinux'['config_mode'] |
$::selinux_config_mode |
undef | Value of SELINUX in /etc/selinux/config | Value of SELINUX in /etc/selinux/config |
$facts['os']['selinux']['current_mode'] |
$::selinux_current_mode |
undef | Value of getenforce downcased |
Value of getenforce downcased |
Authors
- VoxPupuli voxpupuli@groups.io
- James Fryman james@fryman.io