From 914509740f787b8d8e26b8e69011cb90be399b23 Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Thu, 3 Aug 2017 12:19:53 +0100
Subject: [PATCH] added selinux status configuration

---
 README.md                | 7 ++++++-
 manifests/main/config.pp | 8 ++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fe0642b..9aed658 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 |Repo Name| version | Build Status|
 |---|---|---|---|
-|`cd_selinux`| 0.0.0.3 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_selinux)](https://jenkins.confdroid.com/job/cd_selinux/)|
+|`cd_selinux`| 0.0.0.4 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_selinux)](https://jenkins.confdroid.com/job/cd_selinux/)|
 
 ### Synopsis
 [Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies.](https://en.wikipedia.org/wiki/Security-Enhanced_Linux)
@@ -34,6 +34,9 @@
 Installation:
 * install binaries required for selinux and  related tools
 
+Configuration
+* manage /etc/sysconfig/selinux file (file system permissions, selinux context, content)
+* manage current selinux status (permissive,enforcing)
 
 
 ### Repo Structure
@@ -74,6 +77,8 @@ The following parameters are editable via params.pp or through ENC (**__recommen
 All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
 
 ### Known Problems
+* Systems configured with selinux disabled require a reboot for selinux to be enabled. This module will **__not__** do the reboot for you to avoid unexpected outages.
+
 
 ### Support
 * OS: CentOS 6, 7
diff --git a/manifests/main/config.pp b/manifests/main/config.pp
index 732fd4a..af887cb 100644
--- a/manifests/main/config.pp
+++ b/manifests/main/config.pp
@@ -27,4 +27,12 @@ class cd_selinux::main::config (
 
   include cd_selinux::main::files
 
+  if $sx_selinux_status  == 'enforcing' {
+    exec { 'set_selinux_status':
+      command   =>  'setenforce 1',
+      path      =>  '/usr/sbin',
+      provider  =>  shell,
+      unless    =>  'getenforce | grep -i "enforcing"'
+    }
+  }
 }