Puppet Class: selinux

Defined in:
manifests/init.pp

Summary

Manage SELinux

Overview

This module manages the SELinux configuration file.

Examples:

Declaring the class


include ::selinux

To enable SSH key based login for an user account outside of the normal location:


semanage fcontext -a -t ssh_home_t /var/lib/git/.ssh
semanage fcontext -a -t ssh_home_t /var/lib/git/.ssh/authorized_keys
restorecon -v /var/lib/git/.ssh/
restorecon -v /var/lib/git/.ssh/authorized_keys

Parameters:

  • mode (Pattern[/^enforcing|permissive|disabled$/]) (defaults to: 'enforcing')

    Operation mode of SELinux, valid values are 'enforcing', 'permissive' and 'disabled'.

  • type (Pattern[/^targeted|strict$/]) (defaults to: 'targeted')

    The type of policies in use, valid values are 'targeted' and 'strict'.

  • setlocaldefs (Variant[Undef, Enum['0','1'], Integer[0,1]]) (defaults to: undef)

    String or Integer to pass to SETLOCALDEFS option. Valid values are '0' and '1'. If left undef, then the SETLOCALDEFS option is not included in the config_file.

  • config_file (Stdlib::Absolutepath) (defaults to: '/etc/selinux/config')

    The path to the selinux configuration path to manage.

  • policytools (Boolean) (defaults to: false)

    If true, manage the policycoreutils-python package. The purpose of this behavior is to provide the semanage command, e.g. to reconfigure the selinux policy such that restorecon will restore a file to the desired state.



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'manifests/init.pp', line 36

class selinux (
  Pattern[/^enforcing|permissive|disabled$/]  $mode         = 'enforcing',
  Pattern[/^targeted|strict$/]                $type         = 'targeted',
  Variant[Undef, Enum['0','1'], Integer[0,1]] $setlocaldefs = undef,
  Stdlib::Absolutepath                        $config_file  = '/etc/selinux/config',
  Boolean                                     $policytools  = false,
) {

  # selinux allows you to set the system to permissive or enforcing while
  # disabling completely requires a reboot. We set to permissive here when the
  # desired level is disabled, since it has the similar effect of ignoring
  # selinux and we do not have to force a reboot.
  if $mode == 'permissive' or $mode == 'disabled' {
    exec { 'set_permissive_mode':
      command => 'setenforce Permissive',
      unless  => 'getenforce | grep -ie permissive -e disabled',
      path    => '/bin:/usr/bin:/sbin:/usr/sbin',
    }

    if $policytools == true {
      Package['policycoreutils-python'] {
        before +> Exec['set_permissive_mode'],
      }
    }
  }

  if $mode == 'enforcing' {
    exec { 'set_enforcing_mode':
      command => 'setenforce Enforcing',
      unless  => 'getenforce | grep -i enforcing',
      path    => '/bin:/usr/bin:/sbin:/usr/sbin',
    }

    if $policytools == true {
      Package['policycoreutils-python'] {
        before +> Exec['set_enforcing_mode'],
      }
    }
  }

  file { 'selinux_config':
    ensure  => 'file',
    path    => $config_file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('selinux/config.erb'),
  }

  # Provide the semanage command to allow permanent configuration of the selinux
  # policy.  This allows the restorecon command to restore policy to a specified
  # default.
  if $policytools == true {
    package { 'policycoreutils-python':
      ensure => installed,
    }
  }
}