Created
August 17, 2011 17:01
-
-
Save jfryman/1152021 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Concepts incorporated from: | |
| ## http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/ | |
| define selinux::module( | |
| $ensure = 'present', | |
| $mod_dir = '/usr/share/selinux', | |
| $source | |
| ) { | |
| # Set Resource Defaults | |
| File { | |
| owner => 'root', | |
| group => 'root', | |
| mode => '0644', | |
| } | |
| # Only allow refresh in the event that the initial .te file is updated. | |
| Exec { | |
| path => '/sbin:/usr/sbin:/bin:/usr/bin', | |
| resfreshonly => 'true', | |
| cwd => "${mod_dir}", | |
| } | |
| ## Begin Configuration | |
| file { $mod_dir: | |
| ensure => directory, | |
| } | |
| file { "${mod_dir}/${name}.te": | |
| ensure => $ensure, | |
| source => $source, | |
| tag => 'selinux-module', | |
| } | |
| file { "${mod_dir}/${name}.mod": | |
| tag => ['selinux-module-build', 'selinux-module'], | |
| } | |
| file { "${mod_dir}/${name}.pp": | |
| tag => ['selinux-module-build', 'selinux-module'], | |
| } | |
| # Specific executables based on present or absent. | |
| case $ensure { | |
| present: { | |
| exec { "${name}-buildmod": | |
| command => "checkmodule -M -m -o ${name}.mod ${name}.te", | |
| notify => Exec["${name}-buildpp"], | |
| } | |
| exec { "${name}-buildpp": | |
| command => "semodule_package -m ${name}.mod -o ${name}.pp", | |
| notify => Exec["${name}-install"], | |
| } | |
| exec { "${name}-install": | |
| command => 'semodule -i ${name}.pp', | |
| } | |
| # Set dependency ordering | |
| File["${mod_dir}/${name}.te"] | |
| ~> Exec["${name}-buildmod"] | |
| ~> Exec["${name}-buildpp"] | |
| ~> Exec["${name}-install"] | |
| -> File<| tag == 'selinux-module-build' |> | |
| } | |
| absent: { | |
| exec { "${name}-remove": | |
| command => "semodule -r ${name}.pp > /dev/null 2>&1", | |
| } | |
| # Set dependency ordering | |
| Exec["${name}-remove"] | |
| -> File<| tag == 'selinux-module' |> | |
| } | |
| default: { | |
| fail("Invalid status for SELinux Module: ${ensure}") | |
| } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Concepts incorporated from: | |
| ## http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/ | |
| define selinux::module( | |
| $ensure = 'present', | |
| $mod_dir = '/usr/share/selinux', | |
| $source | |
| ) { | |
| # Set Resource Defaults | |
| File { | |
| owner => 'root', | |
| group => 'root', | |
| mode => '0644', | |
| } | |
| # Only allow refresh in the event that the initial .te file is updated. | |
| Exec { | |
| path => '/sbin:/usr/sbin:/bin:/usr/bin', | |
| resfreshonly => 'true', | |
| cwd => "${mod_dir}", | |
| } | |
| ## Begin Configuration | |
| file { $mod_dir: | |
| ensure => directory, | |
| } | |
| file { "${mod_dir}/${name}.te": | |
| ensure => $ensure, | |
| source => $source, | |
| tag => 'selinux-module', | |
| } | |
| file { "${mod_dir}/${name}.mod": | |
| tag => ['selinux-module-build', 'selinux-module'], | |
| } | |
| file { "${mod_dir}/${name}.pp": | |
| tag => ['selinux-module-build', 'selinux-module'], | |
| } | |
| # Specific executables based on present or absent. | |
| case $ensure { | |
| present: { | |
| exec { "${name}-buildmod": | |
| command => "checkmodule -M -m -o ${name}.mod ${name}.te", | |
| notify => Exec["${name}-buildpp"], | |
| } | |
| exec { "${name}-buildpp": | |
| command => "semodule_package -m ${name}.mod -o ${name}.pp", | |
| notify => Exec["${name}-install"], | |
| } | |
| exec { "${name}-install": | |
| command => 'semodule -i ${name}.pp', | |
| } | |
| # Set dependency ordering | |
| File["${mod_dir}/${name}.te"] | |
| ~> Exec["${name}-buildmod"] | |
| ~> Exec["${name}-buildpp"] | |
| ~> Exec["${name}-install"] | |
| -> File<| tag == 'selinux-module-build' |> | |
| } | |
| absent: { | |
| exec { "${name}-remove": | |
| command => "semodule -r ${name}.pp > /dev/null 2>&1", | |
| } | |
| # Set dependency ordering | |
| Exec["${name}-remove"] | |
| -> File<| tag == 'selinux-module' |> | |
| } | |
| default: { | |
| fail("Invalid status for SELinux Module: ${ensure}") | |
| } | |
| } | |
| } |
djjudas21
commented
Jan 5, 2012
via email
Aha, viewing the full module suddenly it looks much more like the puppet
modules I've seen before.
Thanks!
Jonathan
…On 05/01/12 14:49, James Fryman wrote:
Hi Jonathan,
This is only a snippet of code that is needed. I would recommend that you take a look at this module for usage.
https://github.com/jfryman/puppet-selinux
Good luck, and please let me know if you have any questions.
-James
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment