Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >=2.7.20 <9.0.0
- ,
Start using this module
Add this module to your Puppetfile:
mod 'thias-selinux', '1.0.10'Learn more about managing modules with a PuppetfileDocumentation
puppet-selinux
Overview
Transparently create SELinux modules based on AVC denial messages, to easily allow otherwise denied system operations, and set file and directory security contexts
selinux: Main class which makes sure the basics are set up correctly.selinux::audit2allow: Definition for allowing based on avc denial messages.selinux::filecontext: Manage SELinux file context.selinux::dircontext: Manage SELinux file context recursively (directories).selinux::portcontext: Manage SELinux port context.
Note : For SELinux booleans, use the Puppet built-in selboolean type.
selinux
Main SELinux class to be included on all nodes. If SELinux isn't available, it does nothing anyway.
selinux::audit2allow
Local SELinux modules, created from avc denial messages to be allowed.
The SELinux modules created and loaded are automatically prefixed with "local"
in order to never conflict with modules from the currently loaded policy.
You can get a list of existing loaded modules with : semodule -l
Example :
selinux::audit2allow { 'mydaemon':
source => "puppet:///modules/${module_name}/selinux/messages.mydaemon",
}
The content of the above files is based on kernel/audit avc denial messages,
typically found in /var/log/audit/audit.log.
See the included messages.nrpe file for an example.
When using it multiple times on a single node, the selinux::concat parameter
can be switched to true in order to create a single SELinux module instead
of one each time it is used. This speeds up Puppet runs a lot.
selinux::filecontext and selinux::dircontext
Change SELinux file security context persistently using semanage.
To see all existing default contexts for file path patterns :
semanage fcontext -l
To see only the custom ones not included in the base policy, set manually or by this module :
semanage fcontext -l -C
Example to set a new recursive file context entry (for a directory), which will run the 'semanage' and 'restorecon' tools to apply the SELinux Type to the specified path both persistently and immediately.
selinux::dircontext { '/data/www':
seltype => 'httpd_sys_content_t',
}
To set the context for just a file, without recursing :
selinux::filecontext { '/srv/foo.txt':
seltype => 'public_content_t',
}
To copy the context from another file, set 'copy' to true and 'seltype' to
the source file or directory :
selinux::dircontext { '/export/home':
seltype => '/home',
copy => true,
}
selinux::portcontext
Change SELinux port security context persistently using semanage.
The proto must be tcp or udp. Example :
selinux::portcontext { '12345':
seltype => 'redis_port_t',
proto => 'tcp',
}
2024-07-04 - 1.0.10
- Fix changing seltype on existing filecontext (#11).
- Add force parameter to filecontext (#15, @jmurph-ws).
- Support ensure => 'absent' for portcontext (#17, @osgpcq).
2019-08-19 - 1.0.9
- Fix portcontext on RHEL7.7+ where semanage output changed.
2019-06-11 - 1.0.8
- Fix restorecond on RHEL7, following RHEL8 support.
2019-06-04 - 1.0.7
- Support RHEL8.
2017-08-03 - 1.0.6
- Require newer concat where file resource seems no longer included.
- Fix limitation when a path contains another (foo.conf, foo.conf.puppet).
- Work around missing file_contexts.local on RHEL 7.3.
- Add portcontext definition.
2016-11-10 - 1.0.5
- Support a single concat managed audit2allow SELinux module.
- Support setting seltype copying its value (#7, @yakatz).
2015-05-20 - 1.0.4
- Workaround in audit2allow package name/alias for Puppet 4 compatibility.
2015-03-06 - 1.0.3
- Support ensure => 'absent' for audit2allow.
2015-02-25 - 1.0.2
- Cosmetic fixes to make puppet-lint happy.
- Update README to make instructions shorter and clearer.
2014-09-22 - 1.0.1
- Fix audit2allow refresh by comparing .pp file and messages timestamps.
2014-09-09 - 1.0.0
- Make sure audit2allow exec is tried again if part of it fails.
- Work around audit2allow issue on RHEL7, previous module need to be unloaded.
2014-04-28 - 0.2.0
- Apply changes also in Permissive mode.
- Add filecontext definition (#2, @carlossg).
- Add support for RHEL 7 (policycoreutils-restorecond package split).
- Add support for RHEL 4.
- Remove libselinux-ruby package, all recent puppet rpms pull it in.
2014-01-16 - 0.1.3
- Set owner, group and mode for the local audit2allow files.
- Fix audit2allow directory ownership.
2013-05-24 - 0.1.2
- Add new dircontext definition, still a work in progress (Greg Anderson).
- Update README and use markdown.
- Change to 2-space indent.
- Remove the clean up of the very very old file names this module used to use.
- Remove automatic support for message files provided inside this module.
- Update tests.
2012-12-18 - 0.1.1
- Add policycoreutils-restorecond package for recent Fedora versions.
2012-09-19 - 0.1.0
- Clean up the module for its initial forge release.
Dependencies
- puppetlabs/concat (>= 2.0.0)
Copyright (C) 2012-2015 Matthias Saou
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.