Skip to content

simp/pupmod-voxpupuli-selinux

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

467 Commits
data
data
 
 
examples
examples
 
 
files
files
 
 
lib
lib
 
 
manifests
manifests
 
 
spec
spec
 
 
.editorconfig
.editorconfig
 
 
.fixtures.yml
.fixtures.yml
 
 
.gitignore
.gitignore
 
 
.msync.yml
.msync.yml
 
 
.overcommit.yml
.overcommit.yml
 
 
.pmtignore
.pmtignore
 
 
.project
.project
 
 
.puppet-lint.rc
.puppet-lint.rc
 
 
.rspec
.rspec
 
 
.rspec_parallel
.rspec_parallel
 
 
.rubocop.yml
.rubocop.yml
 
 
.sync.yml
.sync.yml
 
 
.yardopts
.yardopts
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
Gemfile
Gemfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
REFERENCE.md
REFERENCE.md
 
 
Rakefile
Rakefile
 
 
hiera.yaml
hiera.yaml
 
 
metadata.json
metadata.json
 
 
simp_vox_migration.sh
simp_vox_migration.sh
 
 
test-acceptance-with-vagrant
test-acceptance-with-vagrant
 
 

Repository files navigation

SELinux module for Puppet

Build Status Code Coverage Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Defined Types
  6. Development - Guide for contributing to the module
  7. Authors

Overview

This class manages SELinux.

This module has been forked from (voxpupuli/selinux)[https://github.com/voxpupuli/puppet-selinux] so that it could be re-namespaced as vox_selinux for the (SIMP)[https://simp-project.com] framework.

Migration to the upstream module will happen in the future after sufficient time has been provided for users to migrate away from the legacy SIMP provided module.

Any changes made here should be sent in as PRs to the upstream module and this should not deviate from the upstream release outside of the namespace if at all possible.

Per the Apache 2.0 license requirements, the following changes have been made:

  • Renamed the module from puppet/selinux to simp/vox_selinux
  • Changed the namespace for all components to vox_selinux
  • Updated the tests to reflect the changes
  • Disabled reporting to the voxpupuli channels on test failures
  • Updated .travis.yml for deployment and SIMP-style testing stages
  • Updated the README.md to note the changes

You can see specifically how things were updated by reading the simp_vox_migration.sh script.

Requirements

  • Puppet 5 or later

Module Description

This module will configure SELinux and/or deploy SELinux based modules to running system.

Get in touch

Upgrading from puppet-selinux 0.8.x

  • Previously, module building always used the refpolicy framework. The default module builder is now 'simple', which uses only checkmodule. Not all features are supported with this builder.

    To build modules using the refpolicy framework like previous versions did, specify the 'refpolicy' builder either explicitly per module or globally via the main class

  • The interfaces to the various helper manifests has been changed to be more in line with Puppet file resource naming conventions.

    You will need to update your manifests to use the new parameter names.

  • The selinux::restorecond manifest to manage the restorecond service no longer exists

Known problems / limitations

  • The selinux_python_command fact is now deprecated and will be removed in version 4 of the module.
  • If SELinux is disabled and you want to switch to permissive or enforcing you are required to reboot the system (limitation of SELinux). The module won't do this for you.
  • If SELinux is disabled and the user wants enforcing mode, the module will downgrade to permissive mode instead to avoid transitioning directly from disabled to enforcing state after a reboot and potentially breaking the system. The user will receive a warning when this happens,
  • If you add filecontexts with semanage fcontext (what selinux::fcontext does) the order is important. If you add /my/folder before /my/folder/subfolder only /my/folder will match (limitation of SELinux). There is no such limitation to file-contexts defined in SELinux modules. (GH-121)
  • If you try to remove a built-in permissive type, the operation will appear to succeed but will actually have no effect, making your puppet runs non-idempotent.
  • The selinux_port provider may misbehave if the title does not correspond to the format it expects. Users should use the selinux::port define instead except when purging resources
  • Defining port ranges that overlap with existing ranges is currently not detected, and will cause semanage to error when the resource is applied.
  • On Debian systems, the defined types fcontext, permissive, and port do not work because of PA-2985.

Usage

Generated puppet strings documentation with examples is available in the REFERENCE.md

It's also included in the docs/ folder as simple html pages.

Reference

Basic usage

include selinux

This will include the module and allow you to use the provided defined types, but will not modify existing SELinux settings on the system.

More advanced usage

class { selinux:
  mode => 'enforcing',
  type => 'targeted',
}

This will include the module and manage the SELinux mode (possible values are enforcing, permissive, and disabled) and enforcement type (possible values are targeted, minimum, and mls). Note that disabling SELinux requires a reboot to fully take effect. It will run in permissive mode until then.

Deploy a custom module using the refpolicy framework

selinux::module { 'resnet-puppet':
  ensure    => 'present',
  source_te => 'puppet:///modules/site_puppet/site-puppet.te',
  source_fc => 'puppet:///modules/site_puppet/site-puppet.fc',
  source_if => 'puppet:///modules/site_puppet/site-puppet.if',
  builder   => 'refpolicy'
}

Using pre-compiled policy packages

selinux::module { 'resnet-puppet':
  ensure    => 'present',
  source_pp => 'puppet:///modules/site_puppet/site-puppet.pp',
}

Note that pre-compiled policy packages may not work reliably across all RHEL / CentOS releases. It's up to you as the user to test that your packages load properly.

Set a boolean value

selinux::boolean { 'puppetagent_manage_all_files': }

Defined Types

  • boolean - Set seboolean values
  • fcontext - Define fcontext types and equals values
  • module - Manage an SELinux module
  • permissive - Set a context to permissive.
  • port - Set selinux port context policies

Development

Things to remember

  • The SELinux tools behave odd when SELinux is disabled
    • semanage requires --noreload while in disabled mode when adding or changing something
    • Only few --list operations work
  • run acceptance tests: ./test-acceptance-with-vagrant

Facter facts

The fact values might be unexpected while in disabled mode. One could expect the config_mode to be set, but only the boolean enabled is set.

The most important facts:

Fact Fact (old) Mode: disabled Mode: permissive Mode: enforcing
$facts['os']['selinux']['enabled'] $::selinux false true true
$facts['os']['selinux']['config_mode'] $::selinux_config_mode undef Value of SELINUX in /etc/selinux/config Value of SELINUX in /etc/selinux/config
$facts['os']['selinux']['current_mode'] $::selinux_current_mode undef Value of getenforce downcased Value of getenforce downcased

Authors

About

Puppet Module to manage SELinux on RHEL machines

forge.puppet.com/puppet/selinux

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

14 watching

Forks

3 forks
Report repository

Releases 3

simp-3.4.0: Release of 3.4.0 Latest
Jul 21, 2021
+ 2 releases

Packages

No packages published

Languages

  • Ruby 75.5%
  • Puppet 19.9%
  • Shell 3.1%
  • Python 1.1%
  • Dockerfile 0.4%