Created
August 17, 2011 17:01
-
-
Save jfryman/1152021 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Concepts incorporated from: | |
| ## http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/ | |
| define selinux::module( | |
| $ensure = 'present', | |
| $mod_dir = '/usr/share/selinux', | |
| $source | |
| ) { | |
| # Set Resource Defaults | |
| File { | |
| owner => 'root', | |
| group => 'root', | |
| mode => '0644', | |
| } | |
| # Only allow refresh in the event that the initial .te file is updated. | |
| Exec { | |
| path => '/sbin:/usr/sbin:/bin:/usr/bin', | |
| resfreshonly => 'true', | |
| cwd => "${mod_dir}", | |
| } | |
| ## Begin Configuration | |
| file { $mod_dir: | |
| ensure => directory, | |
| } | |
| file { "${mod_dir}/${name}.te": | |
| ensure => $ensure, | |
| source => $source, | |
| tag => 'selinux-module', | |
| } | |
| file { "${mod_dir}/${name}.mod": | |
| tag => ['selinux-module-build', 'selinux-module'], | |
| } | |
| file { "${mod_dir}/${name}.pp": | |
| tag => ['selinux-module-build', 'selinux-module'], | |
| } | |
| # Specific executables based on present or absent. | |
| case $ensure { | |
| present: { | |
| exec { "${name}-buildmod": | |
| command => "checkmodule -M -m -o ${name}.mod ${name}.te", | |
| notify => Exec["${name}-buildpp"], | |
| } | |
| exec { "${name}-buildpp": | |
| command => "semodule_package -m ${name}.mod -o ${name}.pp", | |
| notify => Exec["${name}-install"], | |
| } | |
| exec { "${name}-install": | |
| command => 'semodule -i ${name}.pp', | |
| } | |
| # Set dependency ordering | |
| File["${mod_dir}/${name}.te"] | |
| ~> Exec["${name}-buildmod"] | |
| ~> Exec["${name}-buildpp"] | |
| ~> Exec["${name}-install"] | |
| -> File<| tag == 'selinux-module-build' |> | |
| } | |
| absent: { | |
| exec { "${name}-remove": | |
| command => "semodule -r ${name}.pp > /dev/null 2>&1", | |
| } | |
| # Set dependency ordering | |
| Exec["${name}-remove"] | |
| -> File<| tag == 'selinux-module' |> | |
| } | |
| default: { | |
| fail("Invalid status for SELinux Module: ${ensure}") | |
| } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Concepts incorporated from: | |
| ## http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/ | |
| define selinux::module( | |
| $ensure = 'present', | |
| $mod_dir = '/usr/share/selinux', | |
| $source | |
| ) { | |
| # Set Resource Defaults | |
| File { | |
| owner => 'root', | |
| group => 'root', | |
| mode => '0644', | |
| } | |
| # Only allow refresh in the event that the initial .te file is updated. | |
| Exec { | |
| path => '/sbin:/usr/sbin:/bin:/usr/bin', | |
| resfreshonly => 'true', | |
| cwd => "${mod_dir}", | |
| } | |
| ## Begin Configuration | |
| file { $mod_dir: | |
| ensure => directory, | |
| } | |
| file { "${mod_dir}/${name}.te": | |
| ensure => $ensure, | |
| source => $source, | |
| tag => 'selinux-module', | |
| } | |
| file { "${mod_dir}/${name}.mod": | |
| tag => ['selinux-module-build', 'selinux-module'], | |
| } | |
| file { "${mod_dir}/${name}.pp": | |
| tag => ['selinux-module-build', 'selinux-module'], | |
| } | |
| # Specific executables based on present or absent. | |
| case $ensure { | |
| present: { | |
| exec { "${name}-buildmod": | |
| command => "checkmodule -M -m -o ${name}.mod ${name}.te", | |
| notify => Exec["${name}-buildpp"], | |
| } | |
| exec { "${name}-buildpp": | |
| command => "semodule_package -m ${name}.mod -o ${name}.pp", | |
| notify => Exec["${name}-install"], | |
| } | |
| exec { "${name}-install": | |
| command => 'semodule -i ${name}.pp', | |
| } | |
| # Set dependency ordering | |
| File["${mod_dir}/${name}.te"] | |
| ~> Exec["${name}-buildmod"] | |
| ~> Exec["${name}-buildpp"] | |
| ~> Exec["${name}-install"] | |
| -> File<| tag == 'selinux-module-build' |> | |
| } | |
| absent: { | |
| exec { "${name}-remove": | |
| command => "semodule -r ${name}.pp > /dev/null 2>&1", | |
| } | |
| # Set dependency ordering | |
| Exec["${name}-remove"] | |
| -> File<| tag == 'selinux-module' |> | |
| } | |
| default: { | |
| fail("Invalid status for SELinux Module: ${ensure}") | |
| } | |
| } | |
| } |
Hi Jonathan,
This is only a snippet of code that is needed. I would recommend that you take a look at this module for usage.
https://github.com/jfryman/puppet-selinux
Good luck, and please let me know if you have any questions.
…-James
##
James Fryman
ph +1.615.669.2048 | twitter jfryman | gtalk: james@frymanet.com
On Jan 5, 2012, at 4:40 AM, Jonathan wrote:
At the risk of sounding stupid, how do I actually use this code? I've placed both of these files in /etc/puppet/modules/selinux/lib/ and they get synced to clients, but puppet throws a vast number of errors on each run.
---
Reply to this email directly or view it on GitHub:
https://gist.github.com/1152021
Aha, viewing the full module suddenly it looks much more like the puppet
modules I've seen before.
Thanks!
Jonathan
…On 05/01/12 14:49, James Fryman wrote:
Hi Jonathan,
This is only a snippet of code that is needed. I would recommend that you take a look at this module for usage.
https://github.com/jfryman/puppet-selinux
Good luck, and please let me know if you have any questions.
-James
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At the risk of sounding stupid, how do I actually use this code? I've placed both of these files in /etc/puppet/modules/selinux/lib/ and they get synced to clients, but puppet throws a vast number of errors on each run.