Pivot to internal types

.travis.yml

@@ -7,24 +7,6 @@ sudo: false
 matrix:
   fast_finish: true
   include:
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 2.7.0"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 3.1.0"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 3.2.0"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 3.3.0"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 3.4.0"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 3.5.0" STRICT_VARIABLES="yes"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 3.6.0" STRICT_VARIABLES="yes"
-  - rvm: 1.8.7
-    env: PUPPET_GEM_VERSION="~> 3.7.0" STRICT_VARIABLES="yes"
-  - rvm: 1.9.3
-    env: PUPPET_GEM_VERSION="~> 3.1.0"
   - rvm: 1.9.3
     env: PUPPET_GEM_VERSION="~> 3.2.0"
   - rvm: 1.9.3

Gemfile

@@ -3,7 +3,6 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org"
 group :unit_tests do
   gem 'rake',                    :require => false
   # https://github.com/rspec/rspec-core/issues/1864
-  gem 'rspec', '< 3.2.0', {"platforms"=>["ruby_18"]}
   gem 'rspec-puppet', '~> 2.1',  :require => false
   gem 'puppetlabs_spec_helper',  :require => false
   gem 'puppet-lint', '~> 1.0',    :require => false

Rakefile

@@ -1,4 +1,3 @@
-require 'rubygems' if RUBY_VERSION < '1.9.0'
 require 'puppetlabs_spec_helper/rake_tasks'
 require 'puppet-lint/tasks/puppet-lint'
 require 'puppet-syntax/tasks/puppet-syntax'
@@ -20,8 +19,6 @@ PuppetLint.configuration.send('disable_80chars')
 PuppetLint.configuration.send('disable_class_inherits_from_params_class')
 PuppetLint.configuration.send('disable_documentation')
 PuppetLint.configuration.ignore_paths = exclude_paths
-#PuppetLint.configuration.send('disable_class_parameter_defaults')
-#PuppetLint.configuration.send('disable_single_quote_string_with_variables')
 PuppetSyntax.exclude_paths = exclude_paths
 
 task :default => [:test, :spec]

lib/facter/selinux_custom_policy.rb

@@ -5,7 +5,7 @@
 require 'facter'
 
 Facter.add(:selinux_custom_policy) do
-  confine :kernel => 'Linux', :osfamily => 'RedHat', :operatingsystemmajrelease => '7', :selinux => ['true', true]
+  confine kernel: 'Linux', osfamily: 'RedHat', operatingsystemmajrelease: '7', selinux: ['true', true]
   setcode do
     Facter::Util::Resolution.exec("sestatus | grep 'Loaded policy name' | awk '{ print \$4 }'")
   end

manifests/boolean.pp

@@ -11,41 +11,45 @@
 #
 # Parameters:
 #   - $ensure: (on|off) - Sets the current state of a particular SELinux boolean
+#   - $persistent: (true|false) - Should a particular SELinux boolean persist across reboots
 #
 # Actions:
-#  Runs "setsebool" to set boolean state
+#  Wraps selboolean to set states
 #
 # Requires:
 #  - SELinux
 #
 # Sample Usage:
 #
 #  selinux::boolean{ 'named_write_master_zones':
-#     ensure => "on",
+#     ensure     => "on",
+#     persistent => true,
 #  }
 #
-
 define selinux::boolean (
-  $ensure = true
+  $ensure     = 'on',
+  $persistent = true,
 ) {
 
   include selinux
 
-  Exec {
-    path => '/bin:/sbin:/usr/bin:/usr/sbin',
+  $ensure_real = $ensure ? {
+    true    => 'true', # lint:ignore:quoted_booleans
+    false   => 'false', # lint:ignore:quoted_booleans
+    default => $ensure,
+  }
+
+  validate_re($ensure_real, ['^on$', '^true$', '^present$', '^off$', '^false$', '^absent$'], 'Valid ensures must be one of on, true, present, off, false, or absent')
+  validate_bool($persistent)
+
+  $value = $ensure_real ? {
+    /(?i-mx:on|true|present)/  => 'on',
+    /(?i-mx:off|false|absent)/ => 'off',
+    default                    => undef,
   }
 
-  case $ensure {
-    on, true: {
-      exec { "setsebool -P '${name}' true":
-        unless => "getsebool '${name}' | awk '{ print \$3 }' | grep on",
-      }
-    }
-    off, false: {
-      exec { "setsebool -P '${name}' false":
-        unless => "getsebool '${name}' | awk '{ print \$3 }' | grep off",
-      }
-    }
-    default: { err ( "Unknown or undefined boolean state ${ensure}" ) }
+  selboolean { $name:
+    value      => $value,
+    persistent => $persistent,
   }
 }

manifests/config.pp

@@ -8,6 +8,7 @@
 #  - $type (targeted|minimum|mls) - sets the operating type for SELinux.
 #  - $manage_package (boolean) - Whether or not to manage the SELinux management package.
 #  - $package_name (string) - sets the name of the selinux management package.
+#  - $sx_mod_dir (directory) - sets the operating sx_mod_dir for SELinux.
 #
 # Actions:
 #  Configures SELinux to a specific state (enforced|permissive|disabled and targeted|minimum|mls)
@@ -21,6 +22,7 @@
 class selinux::config (
   $mode           = $::selinux::mode,
   $type           = $::selinux::type,
+  $sx_mod_dir     = $::selinux::sx_mod_dir,
   $manage_package = $::selinux::manage_package,
   $package_name   = $::selinux::package_name,
 ) {
@@ -29,13 +31,13 @@
     fail("Use of private class ${name} by ${caller_module_name}")
   }
 
-  file { $selinux::params::sx_mod_dir:
+  file { $sx_mod_dir:
     ensure => directory,
+    owner  => 'root',
+    group  => 'root',
   }
 
   if $mode {
-    validate_re($mode, ['^enforcing$', '^permissive$', '^disabled$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
-
     file_line { "set-selinux-config-to-${mode}":
       path  => '/etc/selinux/config',
       line  => "SELINUX=${mode}",
@@ -65,15 +67,10 @@
   }
 
   if $type {
-    validate_re($type, ['^targeted$', '^minimum$', '^mls$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
-
     file_line { "set-selinux-config-type-to-${type}":
       path  => '/etc/selinux/config',
       line  => "SELINUXTYPE=${type}",
       match => '^SELINUXTYPE=\w+',
     }
   }
-
-  validate_bool($manage_package)
-  validate_string($package_name)
 }

manifests/init.pp

@@ -5,6 +5,12 @@
 #
 # Parameters:
 #  - $mode (enforcing|permissive|disabled) - sets the operating state for SELinux.
+#  - $type (enforcing|permissive|disabled) - sets the operating state for SELinux.
+#  - $sx_mod_dir (absolute_path) - sets the operating state for SELinux.
+#  - $makefile (string) - the default makefile to use for module compilation
+#  - $module_prefix (string) - sets the prefix for any installed modules
+#  - $manage_package (boolean) - manage the package for selinux tools
+#  - $package_name (string) - sets the name for the selinux tools package
 #
 # Actions:
 #  This module will configure SELinux and/or deploy SELinux based modules to running
@@ -19,10 +25,31 @@
 class selinux (
   $mode           = $::selinux::params::mode,
   $type           = $::selinux::params::type,
+  $sx_mod_dir     = $::selinux::params::sx_mod_dir,
+  $makefile       = $::selinux::params::makefile,
+  $module_prefix  = $::selinux::params::module_prefix,
   $manage_package = $::selinux::params::manage_package,
   $package_name   = $::selinux::params::package_name,
 ) inherits selinux::params {
 
+  $mode_real = $mode ? {
+    /\w+/   => $mode,
+    default => 'undef',
+  }
+
+  $type_real = $type ? {
+    /\w+/   => $type,
+    default => 'undef',
+  }
+
+  validate_absolute_path($sx_mod_dir)
+  validate_re($mode_real, ['^enforcing$', '^permissive$', '^disabled$', '^undef$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
+  validate_re($type_real, ['^targeted$', '^minimum$', '^mls$', '^undef$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
+  validate_string($module_prefix)
+  validate_string($makefile)
+  validate_bool($manage_package)
+  validate_string($package_name)
+
   class { 'selinux::package':
     manage_package => $manage_package,
     package_name   => $package_name,

manifests/module.pp

@@ -10,12 +10,13 @@
 #
 # Parameters:
 #   - $ensure: (present|absent) - sets the state for a module
-#   - $selinux::params::sx_mod_dir: The directory compiled modules will live on a system (default: /usr/share/selinux)
-#   - $mode: Allows an admin to set the SELinux status. (default: enforcing)
+#   - $sx_mod_dir (absolute_path) - sets the operating state for SELinux.
 #   - $source: the source file (either a puppet URI or local file) of the SELinux .te module
+#   - $makefile: the makefile file path
+#   - $prefix: the prefix to add to the loaded module. Defaults to 'local_'.
 #
 # Actions:
-#  Compiles a module using 'checkmodule' and 'semodule_package'.
+#  Compiles a module using make and installs it
 #
 # Requires:
 #  - SELinux
@@ -28,108 +29,47 @@
 #
 define selinux::module(
   $source,
-  $ensure         = 'present',
-  $use_makefile   = false,
-  $makefile       = '/usr/share/selinux/devel/Makefile',
+  $ensure       = 'present',
+  $makefile     = '/usr/share/selinux/devel/Makefile',
+  $prefix       = 'local_',
+  $sx_mod_dir   = '/usr/share/selinux',
 ) {
 
-  include selinux
+  require selinux
+
+  validate_re($ensure, [ '^present$', '^absent$' ], '$ensure must be "present" or "absent"')
+  validate_string($source)
+  validate_string($prefix)
+  validate_absolute_path($sx_mod_dir)
+  validate_absolute_path($makefile)
 
-  if $::selinux_config_policy in ['targeted','strict']
-  {
-    $selinux_policy = $::selinux_config_policy
-  }
-  elsif $::selinux_custom_policy
-  {
-    $selinux_policy = $::selinux_custom_policy
-  }
-
-  # Set Resource Defaults
-  File {
-    owner => 'root',
-    group => 'root',
-    mode  => '0644',
-  }
-
-  # Only allow refresh in the event that the initial .te file is updated.
-  Exec {
-    path         => '/sbin:/usr/sbin:/bin:/usr/bin',
-    refreshonly  => true,
-    cwd          => $selinux::params::sx_mod_dir,
-  }
-
-  case $ensure { # lint:ignore:case_without_default
-    present: {
-      $_checkloaded_notify = [Exec["${name}-buildmod"]]
-    }
-    absent: {
-      # buildmod doesn't exist in the absent case
-      $_checkloaded_notify = []
-    }
-  }
-  exec { "${name}-checkloaded":
-    refreshonly => false,
-    creates     => "/etc/selinux/${selinux_policy}/modules/active/modules/${name}.pp",
-
-    command     => 'true', # lint:ignore:quoted_booleans
-    notify      => $_checkloaded_notify,
+  $selinux_policy = $::selinux_config_policy ? {
+    /targeted|strict/ => $::selinux_config_policy,
+    default           => $::selinux_custom_policy,
   }
 
   ## Begin Configuration
-  file { "${::selinux::params::sx_mod_dir}/${name}.te":
+  file { "${sx_mod_dir}/${prefix}${name}.te":
     ensure => $ensure,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
     source => $source,
-    tag    => "selinux-module-${name}",
   }
-  if !$use_makefile {
-    file { "${::selinux::params::sx_mod_dir}/${name}.mod":
-      tag   => ["selinux-module-build-${name}", "selinux-module-${name}"],
-    }
-  }
-  file { "${::selinux::params::sx_mod_dir}/${name}.pp":
-    tag   => ["selinux-module-build-${name}", "selinux-module-${name}"],
+  ~>
+  exec { "${sx_mod_dir}/${prefix}${name}.pp":
+  # Only allow refresh in the event that the initial .te file is updated.
+    path        => '/sbin:/usr/sbin:/bin:/usr/bin',
+    refreshonly => true,
+    cwd         => $sx_mod_dir,
+    command     => "make -f ${makefile} ${prefix}${name}.pp",
   }
-
-  # Specific executables based on present or absent.
-  case $ensure {
-    present: {
-      if $use_makefile {
-        exec { "${name}-buildmod":
-          command => 'true', # lint:ignore:quoted_booleans
-        }
-        exec { "${name}-buildpp":
-          command => "make -f ${makefile} ${name}.pp",
-        }
-      } else {
-        exec { "${name}-buildmod":
-          command => "checkmodule -M -m -o ${name}.mod ${name}.te",
-        }
-        exec { "${name}-buildpp":
-          command => "semodule_package -m ${name}.mod -o ${name}.pp",
-        }
-      }
-      exec { "${name}-install":
-        command => "semodule -i ${name}.pp",
-      }
-
-      # Set dependency ordering
-      File["${::selinux::params::sx_mod_dir}/${name}.te"]
-      ~> Exec["${name}-buildmod"]
-      ~> Exec["${name}-buildpp"]
-      ~> Exec["${name}-install"]
-      -> File<| tag == "selinux-module-build-${name}" |>
-    }
-    absent: {
-      exec { "${name}-remove":
-        command => "semodule -r ${name}.pp > /dev/null 2>&1",
-      }
-
-      # Set dependency ordering
-      Exec["${name}-remove"]
-      -> File<| tag == "selinux-module-${name}" |>
-    }
-    default: {
-      fail("Invalid status for SELinux Module: ${ensure}")
-    }
+  ->
+  selmodule { "${prefix}${name}":
+    # Load the module if it has changed or was not loaded
+    # Warning: change the .te version!
+    ensure       => $ensure,
+    selmoduledir => $sx_mod_dir,
+    syncversion  => true,
   }
 }

manifests/package.pp

@@ -14,14 +14,12 @@
 #
 # This class file is not called directly
 class selinux::package (
-  $manage_package = $::selinux::params::manage_package,
-  $package_name   = $::selinux::params::package_name,
+  $manage_package = $::selinux::manage_package,
+  $package_name   = $::selinux::package_name,
 ){
-
   if $caller_module_name != $module_name {
     fail("Use of private class ${name} by ${caller_module_name}")
   }
-
   if $manage_package {
     package { $package_name:
       ensure => installed,