+
-
+
+
+
diff --git a/README.md b/README.md index fe0642b..513a557 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ |Repo Name| version | Build Status| |---|---|---|---| -|`cd_selinux`| 0.0.0.3 | [](https://jenkins.confdroid.com/job/cd_selinux/)| +|`cd_selinux`| 0.0.1.0 | [](https://jenkins.confdroid.com/job/cd_selinux/)| ### Synopsis [Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies.](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) @@ -34,6 +34,9 @@ Installation: * install binaries required for selinux and related tools +Configuration +* manage /etc/sysconfig/selinux file (file system permissions, selinux context, content) +* manage current selinux status (permissive,enforcing) ### Repo Structure @@ -68,12 +71,14 @@ The following parameters are editable via params.pp or through ENC (**__recommen #### Optional Parameters * `sx_install_setools` : Whether to install additional selinux tools, i.e. for troubleshooting. - +* `sx_selinux_status` : Which selinux status should be configured, sets both the status in the configuration file and on commanbd line. Valid options are `enforcing` and `permissive`. Defaults to `enforcing`. ### SELINUX All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored. ### Known Problems +* Systems configured with selinux disabled require a reboot for selinux to be enabled. This module will **__not__** do the reboot for you to avoid unexpected outages. + ### Support * OS: CentOS 6, 7 diff --git a/doc/_index.html b/doc/_index.html index 783b653..24bc57e 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -127,7 +127,7 @@
diff --git a/doc/file.README.html b/doc/file.README.html index c1eb430..1c634c1 100644 --- a/doc/file.README.html +++ b/doc/file.README.html @@ -61,7 +61,7 @@|Repo Name| version | Build
Status|
|---|---|---|---|
-|cd_selinux| 0.0.0.3 | cd_selinux| 0.0.1.0 | {Build
Status/]|
Installation: * install binaries required for selinux and related tools
+Configuration +* manage /etc/sysconfig/selinux file (file system +permissions, selinux context, content) +* manage current selinux status +(permissive,enforcing)
+Repostructure has moved to REPOSTRUCTURE.md in repo.
@@ -173,6 +179,11 @@ at next puppet run. Services will be restarted where neccessary.sx_install_setools : Whether to install additional selinux
tools, i.e. for troubleshooting.
sx_selinux_status : Which selinux status should be configured,
+sets both the status in the configuration file and on commanbd line. Valid
+options are enforcing and permissive. Defaults to
+enforcing.
Systems configured with selinux disabled require a reboot for selinux to be +enabled. This module will not do the reboot for you to +avoid unexpected outages.
+|Repo Name| version | Build
Status|
|---|---|---|---|
-|cd_selinux| 0.0.0.3 | cd_selinux| 0.0.1.0 | {Build
Status/]|
Installation: * install binaries required for selinux and related tools
+Configuration +* manage /etc/sysconfig/selinux file (file system +permissions, selinux context, content) +* manage current selinux status +(permissive,enforcing)
+Repostructure has moved to REPOSTRUCTURE.md in repo.
@@ -173,6 +179,11 @@ at next puppet run. Services will be restarted where neccessary.sx_install_setools : Whether to install additional selinux
tools, i.e. for troubleshooting.
sx_selinux_status : Which selinux status should be configured,
+sets both the status in the configuration file and on commanbd line. Valid
+options are enforcing and permissive. Defaults to
+enforcing.
Systems configured with selinux disabled require a reboot for selinux to be +enabled. This module will not do the reboot for you to +avoid unexpected outages.
+# File 'manifests/main/config.pp', line 24
@@ -147,6 +155,14 @@ class cd_selinux::main::config (
include cd_selinux::main::files
+ if $sx_selinux_status == 'enforcing' {
+ exec { 'set_selinux_status':
+ command => 'setenforce 1',
+ path => ['/usr/sbin','/usr/bin'],
+ provider => shell,
+ unless => 'getenforce | grep -i "enforcing"'
+ }
+ }
}
The desired selinux status. Valid values
-are enforcing,
-`permissive, disabled. Note that changing from
-disabled
-to any othe other types requires a manual reboot to relable the
-file system.
The desired selinux status. Used for both
+managing the configuration file
+as well as the command line (setenforce).
+Valid values are
+enforcing and permissive. While the configuration
+file
+supports another option 'disabled', this option is not
+available on
+commandline. Note that changing the active selinux status from
+disabled
+to any the other types requires a manual reboot to
+re-lable the file system.
+This module does not do that for you to avoid
+unexpected outages.
-34 -35 -36 -37 38 39 40 @@ -256,10 +260,14 @@ file system. 61 62 63 -64+64 +65 +66 +67 +68
# File 'manifests/params.pp', line 34 +# File 'manifests/params.pp', line 38 class cd_selinux::params ( @@ -299,7 +307,7 @@ $sx_main_file_erb = 'cd_selinux/main/selinux_config.erb' diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html index 6b10d87..2e2c256 100644 --- a/doc/top-level-namespace.html +++ b/doc/top-level-namespace.html @@ -90,7 +90,7 @@ diff --git a/manifests/main/config.pp b/manifests/main/config.pp index 732fd4a..ef0d614 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -27,4 +27,12 @@ class cd_selinux::main::config ( include cd_selinux::main::files + if $sx_selinux_status == 'enforcing' { + exec { 'set_selinux_status': + command => 'setenforce 1', + path => ['/usr/sbin','/usr/bin'], + provider => shell, + unless => 'getenforce | grep -i "enforcing"' + } + } } diff --git a/manifests/params.pp b/manifests/params.pp index b7429b2..c658b4f 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,9 +25,13 @@ # to choose, i.e. `latest` or `present`. # @param [boolean] sx_install_setools Whether to install additional selinux # tools, i.e. for troubleshooting. -# @param [string] sx_selinux_status The desired selinux status. Valid values -# are `enforcing`, ``permissive`, `disabled`. Note that changing from disabled -# to any othe other types requires a manual reboot to relable the file system. +# @param [string] sx_selinux_status The desired selinux status. Used for both +# managing the configuration file as well as the command line (setenforce). +# Valid values are `enforcing` and `permissive`. While the configuration file +# supports another option 'disabled', this option is not available on +# commandline. Note that changing the active selinux status from `disabled` +# to any the other types requires a manual reboot to re-lable the file system. +# This module does not do that for you to avoid unexpected outages. # @param [string] sx_selinux_type The desired selinux type. Valid options are # `targeted`, `minimum` and `mls`. ##############################################################################