Defined Type: selinux::module

Defined in:
manifests/module.pp

Overview

Defined type: selinux::module

This class will either install or uninstall a SELinux module from a running system. This module allows an admin to keep .te files in text form in a repository, while allowing the system to compile and manage SELinux modules.

Concepts incorporated from: http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/

Examples:

compile and load the apache module

selinux::module{ 'apache':
  ensure => 'present',
  source => 'puppet:///modules/selinux/apache.te',
}

Parameters:

  • ensure (Any) (defaults to: 'present')

    present or absent

  • sx_mod_dir (Any) (defaults to: '/usr/share/selinux')

    path where source is stored and the module built. Valid values: absolute path

  • source (Any) (defaults to: undef)

    the source file (either a puppet URI or local file) of the SELinux .te file

  • content (Any) (defaults to: undef)

    content of the source .te file

  • makefile (Any) (defaults to: '/usr/share/selinux/devel/Makefile')

    absolute path to the selinux-devel Makefile

  • prefix (DEPRECATED) (defaults to: '')

    the prefix to add to the loaded module. Defaults to ''. Does not work with CentOS >= 7.2 and Fedora >= 24 SELinux tools.

  • syncversion (Any) (defaults to: undef)

    selmodule syncversion param



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'manifests/module.pp', line 25

define selinux::module(
  $source       = undef,
  $content      = undef,
  $ensure       = 'present',
  $makefile     = '/usr/share/selinux/devel/Makefile',
  $prefix       = '',
  $sx_mod_dir   = '/usr/share/selinux',
  $syncversion  = undef,
) {

  include ::selinux

  Anchor['selinux::module pre'] ->
  Selinux::Module[$title] ->
  Anchor['selinux::module post']

  validate_re($ensure, [ '^present$', '^absent$' ], '$ensure must be "present" or "absent"')
  if $ensure == 'present' and $source == undef and $content == undef {
    fail("You must provide 'source' or 'content' field for selinux module")
  }
  if $source != undef {
    validate_string($source)
  }
  if $content != undef {
    validate_string($content)
  }
  validate_string($prefix)
  validate_absolute_path($sx_mod_dir)
  validate_absolute_path($makefile)
  if $syncversion != undef {
    validate_bool($syncversion)
  }

  ## Begin Configuration
  file { "${sx_mod_dir}/${prefix}${name}.te":
    ensure  => $ensure,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    source  => $source,
    content => $content,
  }
  ~>
  exec { "${sx_mod_dir}/${prefix}${name}.pp":
  # Only allow refresh in the event that the initial .te file is updated.
    command     => shellquote('make', '-f', $makefile, "${prefix}${name}.pp"),
    path        => '/bin:/sbin:/usr/bin:/usr/sbin',
    refreshonly => true,
    cwd         => $sx_mod_dir,
  }
  ->
  selmodule { $name:
    # Load the module if it has changed or was not loaded
    # Warning: change the .te version!
    ensure        => $ensure,
    selmodulepath => "${sx_mod_dir}/${prefix}${name}.pp",
    syncversion   => $syncversion,
  }
}