diff options
author | Jenkins <jenkins@review.openstack.org> | 2016-05-10 13:49:13 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2016-05-10 13:49:13 +0000 |
commit | 42865aed6f3375edbac31a52bb9e73cabfbb059a (patch) | |
tree | 25d64456c69a75437a18b547bb8c8cf602c6ae58 /manifests | |
parent | 01ffa0be0060dd10dcfe23121635708c2e697a89 (diff) | |
parent | 8e533aaf447022c62865130f2ffc88690f06aef1 (diff) |
Merge "Add tripleo::selinux"
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/selinux.pp | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/manifests/selinux.pp b/manifests/selinux.pp new file mode 100644 index 0000000..c5d13e2 --- /dev/null +++ b/manifests/selinux.pp @@ -0,0 +1,96 @@ +# +# Copyright (C) 2014 eNovance SAS <licensing@enovance.com> +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::selinux +# +# Helper class to configure SELinux on nodes +# +# === Parameters: +# +# [*mode*] +# (optional) SELinux mode the system should be in +# Defaults to 'enforcing' +# Possible values : disabled, permissive, enforcing +# +# [*directory*] +# (optional) Path where to find the SELinux modules +# Defaults to '/usr/share/selinux' +# +# [*booleans*] +# (optional) Set of booleans to persistently enables +# SELinux booleans are the one getsebool -a returns +# Defaults [] +# Example: ['rsync_full_access', 'haproxy_connect_any'] +# +# [*modules*] +# (optional) Set of modules to load on the system +# Defaults [] +# Example: ['module1', 'module2'] +# Note: Those module should be in the $directory path +# +class tripleo::selinux ( + $mode = 'enforcing', + $directory = '/usr/share/selinux/', + $booleans = [], + $modules = [], +) { + + if $::osfamily != 'RedHat' { + fail("OS family unsuppored yet (${::osfamily}), SELinux support is only limited to RedHat family OS") + } + + Selboolean { + persistent => true, + value => 'on', + } + + Selmodule { + ensure => present, + selmoduledir => $directory, + } + + file { '/etc/selinux/config': + ensure => present, + mode => '0444', + content => template('tripleo/selinux/sysconfig_selinux.erb') + } + + $current_mode = $::selinux? { + false => 'disabled', + default => $::selinux_current_mode, + } + + if $current_mode != $mode { + case $mode { + /^(disabled|permissive)$/: { + if $current_mode == 'enforcing' { + exec { '/sbin/setenforce 0': } + } + } + 'enforcing': { + exec { '/sbin/setenforce 1': } + } + default: { + fail('You must specify a mode (enforcing, permissive, or disabled)') + } + } + } + + selboolean { $booleans : + persistent => true, + } + selmodule { $modules: } + +} |