From 914509740f787b8d8e26b8e69011cb90be399b23 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Thu, 3 Aug 2017 12:19:53 +0100 Subject: [PATCH 1/4] added selinux status configuration --- README.md | 7 ++++++- manifests/main/config.pp | 8 ++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fe0642b..9aed658 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ |Repo Name| version | Build Status| |---|---|---|---| -|`cd_selinux`| 0.0.0.3 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_selinux)](https://jenkins.confdroid.com/job/cd_selinux/)| +|`cd_selinux`| 0.0.0.4 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_selinux)](https://jenkins.confdroid.com/job/cd_selinux/)| ### Synopsis [Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies.](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) @@ -34,6 +34,9 @@ Installation: * install binaries required for selinux and related tools +Configuration +* manage /etc/sysconfig/selinux file (file system permissions, selinux context, content) +* manage current selinux status (permissive,enforcing) ### Repo Structure @@ -74,6 +77,8 @@ The following parameters are editable via params.pp or through ENC (**__recommen All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored. ### Known Problems +* Systems configured with selinux disabled require a reboot for selinux to be enabled. This module will **__not__** do the reboot for you to avoid unexpected outages. + ### Support * OS: CentOS 6, 7 diff --git a/manifests/main/config.pp b/manifests/main/config.pp index 732fd4a..af887cb 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -27,4 +27,12 @@ class cd_selinux::main::config ( include cd_selinux::main::files + if $sx_selinux_status == 'enforcing' { + exec { 'set_selinux_status': + command => 'setenforce 1', + path => '/usr/sbin', + provider => shell, + unless => 'getenforce | grep -i "enforcing"' + } + } } From a1177ccacf0d7d58a67314296ab9f290fadc2787 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Thu, 3 Aug 2017 12:24:18 +0100 Subject: [PATCH 2/4] added selinux status configuration --- manifests/main/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/main/config.pp b/manifests/main/config.pp index af887cb..ef0d614 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -30,7 +30,7 @@ class cd_selinux::main::config ( if $sx_selinux_status == 'enforcing' { exec { 'set_selinux_status': command => 'setenforce 1', - path => '/usr/sbin', + path => ['/usr/sbin','/usr/bin'], provider => shell, unless => 'getenforce | grep -i "enforcing"' } From 0bd13076fd01a31fad2102841de33ef653738ee5 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Thu, 3 Aug 2017 12:36:11 +0100 Subject: [PATCH 3/4] updated parameter documentation and README --- README.md | 4 ++-- manifests/params.pp | 10 +++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9aed658..513a557 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ |Repo Name| version | Build Status| |---|---|---|---| -|`cd_selinux`| 0.0.0.4 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_selinux)](https://jenkins.confdroid.com/job/cd_selinux/)| +|`cd_selinux`| 0.0.1.0 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_selinux)](https://jenkins.confdroid.com/job/cd_selinux/)| ### Synopsis [Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies.](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) @@ -71,7 +71,7 @@ The following parameters are editable via params.pp or through ENC (**__recommen #### Optional Parameters * `sx_install_setools` : Whether to install additional selinux tools, i.e. for troubleshooting. - +* `sx_selinux_status` : Which selinux status should be configured, sets both the status in the configuration file and on commanbd line. Valid options are `enforcing` and `permissive`. Defaults to `enforcing`. ### SELINUX All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored. diff --git a/manifests/params.pp b/manifests/params.pp index b7429b2..c658b4f 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,9 +25,13 @@ # to choose, i.e. `latest` or `present`. # @param [boolean] sx_install_setools Whether to install additional selinux # tools, i.e. for troubleshooting. -# @param [string] sx_selinux_status The desired selinux status. Valid values -# are `enforcing`, ``permissive`, `disabled`. Note that changing from disabled -# to any othe other types requires a manual reboot to relable the file system. +# @param [string] sx_selinux_status The desired selinux status. Used for both +# managing the configuration file as well as the command line (setenforce). +# Valid values are `enforcing` and `permissive`. While the configuration file +# supports another option 'disabled', this option is not available on +# commandline. Note that changing the active selinux status from `disabled` +# to any the other types requires a manual reboot to re-lable the file system. +# This module does not do that for you to avoid unexpected outages. # @param [string] sx_selinux_type The desired selinux type. Valid options are # `targeted`, `minimum` and `mls`. ############################################################################## From 199800e57a69be9c98bb73c07609940a7114856b Mon Sep 17 00:00:00 2001 From: Jenkins Server Date: Thu, 3 Aug 2017 13:35:51 +0200 Subject: [PATCH 4/4] recommit for updates in build 7 --- CHANGELOG.md | 30 +++++++++++++--- doc/_index.html | 2 +- doc/file.README.html | 20 +++++++++-- doc/index.html | 20 +++++++++-- doc/puppet_classes/cd_selinux.html | 2 +- .../cd_selinux_3A_3Amain_3A_3Aconfig.html | 20 +++++++++-- .../cd_selinux_3A_3Amain_3A_3Adirs.html | 2 +- .../cd_selinux_3A_3Amain_3A_3Afiles.html | 2 +- .../cd_selinux_3A_3Amain_3A_3Ainstall.html | 2 +- .../cd_selinux_3A_3Aparams.html | 34 ++++++++++++------- doc/top-level-namespace.html | 2 +- 11 files changed, 106 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d84c8b9..b8eaf8d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,20 +8,40 @@ Changelog of Git Changelog.

No issue

+73df1183c06d683 Jenkins Server 2017-07-20 12:47:36 +

+

recommit for updates in build 4

+ +

dfeece2215322e3 Jenkins Server 2017-07-20 12:43:32

recommit for updates in build 3

-

-9f8a0aef46d59dd Arne Teuke 2017-07-20 12:43:17 -

-

added main config file control

-

c7e77e4c88c5b5a Jenkins Server 2017-07-20 12:08:03

recommit for updates in build 2

+

+ +

v0.0.0.3

+

No issue

+ + +8b184516c46ea66 Arne Teuke 2017-07-20 12:47:27 +

+

edited README

+ +

+6e8e556e2e2f7ef Arne Teuke 2017-07-20 12:46:33 +

+

changed repo dependency

+ +

+9f8a0aef46d59dd Arne Teuke 2017-07-20 12:43:17 +

+

added main config file control

+

8b0100d73a0a456 Arne Teuke 2017-07-20 12:07:11

diff --git a/doc/_index.html b/doc/_index.html index 783b653..24bc57e 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -127,7 +127,7 @@

diff --git a/doc/file.README.html b/doc/file.README.html index c1eb430..1c634c1 100644 --- a/doc/file.README.html +++ b/doc/file.README.html @@ -61,7 +61,7 @@

|Repo Name| version | Build Status| |---|---|---|---| -|cd_selinux| 0.0.0.3 | cd_selinux| 0.0.1.0 | {Build Status/]|

@@ -128,6 +128,12 @@ href="https://gitlab.puppetsoft.com/12WW1160/cd_selinux/blob/master/CHANGELOG.md

Installation: * install binaries required for selinux and related tools

+

Configuration +* manage /etc/sysconfig/selinux file (file system +permissions, selinux context, content) +* manage current selinux status +(permissive,enforcing)

+

Repo Structure

Repostructure has moved to REPOSTRUCTURE.md in repo.

@@ -173,6 +179,11 @@ at next puppet run. Services will be restarted where neccessary.

  • sx_install_setools : Whether to install additional selinux tools, i.e. for troubleshooting.

    +
  • +

    sx_selinux_status : Which selinux status should be configured, +sets both the status in the configuration file and on commanbd line. Valid +options are enforcing and permissive. Defaults to +enforcing.

SELINUX

@@ -181,6 +192,11 @@ tools, i.e. for troubleshooting.

selinux is disabled, these contexts are ignored.

Known Problems

+
  • +

    Systems configured with selinux disabled require a reboot for selinux to be +enabled. This module will not do the reboot for you to +avoid unexpected outages.

    +

Support

  • @@ -235,7 +251,7 @@ environments.

    diff --git a/doc/index.html b/doc/index.html index c9256b1..f8e32e4 100644 --- a/doc/index.html +++ b/doc/index.html @@ -61,7 +61,7 @@

    |Repo Name| version | Build Status| |---|---|---|---| -|cd_selinux| 0.0.0.3 | cd_selinux| 0.0.1.0 | {Build Status/]|

    @@ -128,6 +128,12 @@ href="https://gitlab.puppetsoft.com/12WW1160/cd_selinux/blob/master/CHANGELOG.md

    Installation: * install binaries required for selinux and related tools

    +

    Configuration +* manage /etc/sysconfig/selinux file (file system +permissions, selinux context, content) +* manage current selinux status +(permissive,enforcing)

    +

    Repo Structure

    Repostructure has moved to REPOSTRUCTURE.md in repo.

    @@ -173,6 +179,11 @@ at next puppet run. Services will be restarted where neccessary.

    • sx_install_setools : Whether to install additional selinux tools, i.e. for troubleshooting.

      +
    • +

      sx_selinux_status : Which selinux status should be configured, +sets both the status in the configuration file and on commanbd line. Valid +options are enforcing and permissive. Defaults to +enforcing.

    SELINUX

    @@ -181,6 +192,11 @@ tools, i.e. for troubleshooting.

    selinux is disabled, these contexts are ignored.

    Known Problems

    +
    • +

      Systems configured with selinux disabled require a reboot for selinux to be +enabled. This module will not do the reboot for you to +avoid unexpected outages.

      +

    Support

    • @@ -235,7 +251,7 @@ environments.

      diff --git a/doc/puppet_classes/cd_selinux.html b/doc/puppet_classes/cd_selinux.html index 4f7805a..b3947c9 100644 --- a/doc/puppet_classes/cd_selinux.html +++ b/doc/puppet_classes/cd_selinux.html @@ -139,7 +139,7 @@ class cd_selinux { diff --git a/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Aconfig.html b/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Aconfig.html index 0cf33b7..b10073e 100644 --- a/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Aconfig.html +++ b/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Aconfig.html @@ -136,7 +136,15 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

      27 28 29 -30 +30 +31 +32 +33 +34 +35 +36 +37 +38 
      # File 'manifests/main/config.pp', line 24
@@ -147,6 +155,14 @@ class cd_selinux::main::config (
 
   include cd_selinux::main::files
 
+  if $sx_selinux_status  == 'enforcing' {
+    exec { 'set_selinux_status':
+      command   =>  'setenforce 1',
+      path      =>  ['/usr/sbin','/usr/bin'],
+      provider  =>  shell,
+      unless    =>  'getenforce | grep -i "enforcing"'
+    }
+  }
 }
      @@ -155,7 +171,7 @@ class cd_selinux::main::config ( diff --git a/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Adirs.html b/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Adirs.html index 82a5f5b..b68659d 100644 --- a/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Adirs.html +++ b/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Adirs.html @@ -176,7 +176,7 @@ class cd_selinux::main::dirs ( diff --git a/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Afiles.html b/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Afiles.html index 0551e81..e50ddff 100644 --- a/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Afiles.html +++ b/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Afiles.html @@ -178,7 +178,7 @@ class cd_selinux::main::files ( diff --git a/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Ainstall.html b/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Ainstall.html index 5453a38..0df34cf 100644 --- a/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Ainstall.html +++ b/doc/puppet_classes/cd_selinux_3A_3Amain_3A_3Ainstall.html @@ -173,7 +173,7 @@ class cd_selinux::main::install ( diff --git a/doc/puppet_classes/cd_selinux_3A_3Aparams.html b/doc/puppet_classes/cd_selinux_3A_3Aparams.html index 8423e83..389d956 100644 --- a/doc/puppet_classes/cd_selinux_3A_3Aparams.html +++ b/doc/puppet_classes/cd_selinux_3A_3Aparams.html @@ -186,12 +186,20 @@ tools, i.e. for troubleshooting.

      -

      The desired selinux status. Valid values -are enforcing, -`permissive, disabled. Note that changing from -disabled -to any othe other types requires a manual reboot to relable the -file system.

      +

      The desired selinux status. Used for both +managing the configuration file +as well as the command line (setenforce). +Valid values are +enforcing and permissive. While the configuration +file +supports another option 'disabled', this option is not +available on +commandline. Note that changing the active selinux status from +disabled +to any the other types requires a manual reboot to +re-lable the file system. +This module does not do that for you to avoid +unexpected outages.

      • @@ -226,10 +234,6 @@ file system.

       
 
-34
-35
-36
-37
 38
 39
 40
@@ -256,10 +260,14 @@ file system.
      
 61
 62
 63
-64
      +64 +65 +66 +67 +68 - 
      # File 'manifests/params.pp', line 34
+        
      # File 'manifests/params.pp', line 38
 
 class cd_selinux::params (
 
@@ -299,7 +307,7 @@ $sx_main_file_erb   = 'cd_selinux/main/selinux_config.erb'
 
 
       
diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html
index 6b10d87..2e2c256 100644
--- a/doc/top-level-namespace.html
+++ b/doc/top-level-namespace.html
@@ -90,7 +90,7 @@