From 63dbe688d389519b95ae2c2fbf77557a6477ea1c Mon Sep 17 00:00:00 2001
From: 12ww1160 <12ww1160@confdroid.com>
Date: Sun, 5 Apr 2026 15:55:33 +0200
Subject: [PATCH] OP#561 add semanage

---
 README.md                     |  1 +
 manifests/main/service.pp     |  1 +
 manifests/selinux/semanage.pp | 13 +++++++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 manifests/selinux/semanage.pp

diff --git a/README.md b/README.md
index f43420c..8361fe3 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@
 
 - install required binaries
 - manage local custom configuration based on parameters, overriding the defaults
+- manage selinux rules
 - manage service
 - (optional) manage firewall
   
diff --git a/manifests/main/service.pp b/manifests/main/service.pp
index 50c048f..7d1a318 100644
--- a/manifests/main/service.pp
+++ b/manifests/main/service.pp
@@ -6,6 +6,7 @@
 class confdroid_ssh::main::service (
 ) inherits confdroid_ssh::params {
   require confdroid_ssh::main::files
+  require confdroid_ssh::selinux::semanage
   if $ssh_use_firewall {
     require confdroid_ssh::firewall::iptables
   }
diff --git a/manifests/selinux/semanage.pp b/manifests/selinux/semanage.pp
new file mode 100644
index 0000000..68d69ef
--- /dev/null
+++ b/manifests/selinux/semanage.pp
@@ -0,0 +1,13 @@
+## confdroid_ssh::selinux::semanage.pp
+# Module name: confdroid_ssh
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages SELinux semanage settings
+##############################################################################
+class confdroid_ssh::selinux::semanage (
+) inherits confdroid_ssh::params {
+  exec { 'semanage_port_ssh':
+    command => "semanage port -a -t ssh_port_t -p tcp ${ssh_fw_port}",
+    unless  => "semanage port -l | grep '^ssh_port_t' | grep 'tcp' | grep '${ssh_fw_port}'",
+    path    => ['/usr/bin', '/usr/sbin'],
+  }
+}