selinux: Manage SELinux on RHEL based systems.
selinux::build: Configure the system for module buildingselinux::config: Configure the system to use SELinux on the system.selinux::package: Manages additional packages required to support some of the functions.selinux::refpolicy_package: Manages additional packages required to support some of the functions.
selinux::boolean: Manage the state of an SELinux boolean.selinux::exec_restorecon: A convenience wrapper around a restorecon execselinux::fcontext: For fcontext equivalences, see selinux::fcontext::equivalenceselinux::fcontext::equivalence: Manage SELinux fcontext equivalencesselinux::login: Manage a SELinux loginselinux::module: Manage a SELinux module on a running systemselinux::permissive: Set SELinux type to permissiveselinux::port: Manage a SELinux local network port context setting
selinux_fcontext: Manage SELinux fcontext definitions. You should use selinux::fcontext instead of this directly.selinux_fcontext_equivalence: Manage SELinux fcontext equivalence definitions. You should use selinux::fcontext instead of this directly.selinux_login: Manage SELinux login definitions. You should use selinux::login instead of this directly.selinux_permissive: Manage SELinux permissive types.selinux_port: Manage SELinux port definitions. You should use selinux::port instead of this directly.
Manage SELinux on RHEL based systems.
class { 'selinux':
mode => 'enforcing',
type => 'targeted',
}The following parameters are available in the selinux class:
package_namemanage_auditd_packagerefpolicy_package_namemodetyperefpolicy_makefilemanage_packageauditd_package_namemanage_setroubleshoot_packagesmanage_selinux_sandbox_packagessetroubleshoot_package_namesselinux_sandbox_package_namesmodule_build_rootdefault_builderbooleanfcontextfcontext_equivalencemodulepermissiveportexec_restoreconlogin
Data type: Variant[String[1], Array[String[1]]]
sets the name(s) for the selinux tools package Default value: OS dependent (see data/).
Data type: Boolean
install auditd to log SELinux violations, for OSes that do not have auditd installed by default. Default value: OS dependent (see data/)
Data type: String
sets the name for the refpolicy development package, required for the refpolicy module builder Default value: OS dependent (see data/)
Data type: Optional[Enum['enforcing', 'permissive', 'disabled']]
sets the operating state for SELinux.
Default value: undef
Data type: Optional[Enum['targeted', 'minimum', 'mls']]
sets the selinux type
Default value: undef
Data type: Stdlib::Absolutepath
the path to the system's SELinux makefile for the refpolicy framework
Default value: '/usr/share/selinux/devel/Makefile'
Data type: Boolean
manage the package for selinux tools and refpolicy
Default value: true
Data type: String[1]
used when manage_auditd_package is true
Default value: 'auditd'
Data type: Boolean
manage the setroubleshoot packages
Data type: Boolean
manage the selinux sandbox packages
Data type: Array[String]
the names of the setroubleshoot packages
Default value: []
Data type: Array[String]
the names of the selinux sandbox packages
Default value: []
Data type: Stdlib::Absolutepath
directory where modules are built. Defaults to $vardir/puppet-selinux
Default value: "${facts['puppet_vardir']}/puppet-selinux"
Data type: Enum['refpolicy', 'simple']
which builder to use by default with selinux::module
Default value: 'simple'
Data type: Optional[Hash]
Hash of selinux::boolean resource parameters
Default value: undef
Data type: Optional[Hash]
Hash of selinux::fcontext resource parameters
Default value: undef
Data type: Optional[Hash]
Hash of selinux::fcontext::equivalence resource parameters
Default value: undef
Data type: Optional[Hash]
Hash of selinux::module resource parameters
Default value: undef
Data type: Optional[Hash]
Hash of selinux::module resource parameters
Default value: undef
Data type: Optional[Hash]
Hash of selinux::port resource parameters
Default value: undef
Data type: Optional[Hash]
Hash of selinux::exec_restorecon resource parameters
Default value: undef
Data type: Hash[String[1],Hash[String[1],String[1]]]
Hash of selinux::login resource parameters
Default value: {}
Manage the state of an SELinux boolean.
selinux::boolean{ 'named_write_master_zones':
ensure => 'on',
}selinux::boolean{ 'named_write_master_zones':
ensure => 'off',
}The following parameters are available in the selinux::boolean defined type:
Data type: Variant[Boolean, Enum['on', 'off', 'present', 'absent']]
Set to on or off
Default value: 'on'
Data type: Boolean
Set to false if you don't want it to survive a reboot.
Default value: true
Will execute after all other SELinux changes have been applied, but before Anchor['selinux::end']
The following parameters are available in the selinux::exec_restorecon defined type:
Data type: Stdlib::Absolutepath
The path to run restorecon on. Defaults to resource title.
Default value: $title
Data type: Boolean
Whether restorecon should recurse. Defaults to true
Default value: true
Data type: Boolean
Whether restorecon should use force. Defaults to false.
Default value: false
Data type: Boolean
see the Exec resource
Default value: true
Data type: Optional[String]
see the Exec resource
Default value: undef
Data type: Optional[String]
see the Exec resource
Default value: undef
For fcontext equivalences, see selinux::fcontext::equivalence
- See also
- selinux::fcontext::equivalence
selinux::fcontext{'set-mysql-log-context':
seltype => 'mysqld_log_t',
pathspec => '/u01/log/mysql(/.*)?',
}selinux::fcontext{'/u/users/[^/]*':
filetype => 'd',
seltype => 'user_home_dir_t' ,
}The following parameters are available in the selinux::fcontext defined type:
Data type: Enum['absent', 'present']
The desired state of the resource. Default: 'present'
Default value: 'present'
Data type: Optional[String]
String A particular SELinux type, like "mysqld_log_t"
Default value: undef
Data type: Optional[String]
String A particular SELinux user, like "sysadm_u"
Default value: undef
Data type: String
String An semanage fcontext-formatted path specification, like "/var/log/mysql(/.*)?". Defaults to title
Default value: $title
Data type: String[1]
File type the context applies to (i.e. regular file, directory, block device, all files, etc.)
- Types:
- a = all files (default value if not restricting filetype)
- f = regular file
- d = directory
- c = character device
- b = block device
- s = socket
- l = symbolic link
- p = named pipe
Default value: 'a'
Manage SELinux fcontext equivalences
selinux::fcontext::equivalence { '/opt/wordpress':
ensure => 'present',
target => '/usr/share/wordpress',
}The following parameters are available in the selinux::fcontext::equivalence defined type:
Data type: String
the path to define and equivalence for. Default: Resource title
Default value: $title
Data type: String
the path that this resource will be equivalent to.
Data type: Enum['present', 'absent']
the desired state of the equivalence. Default: present
Default value: 'present'
This method will manage a selinux login, and will persist it across reboots.
selinux::login { 'localuser_staff_u':
ensure => 'present',
selinux_login_name => 'localuser',
selinux_user => 'staff_u',
}The following parameters are available in the selinux::login defined type:
Data type: Enum['present', 'absent']
Set to present to add or absent to remove a selinux login.
Default value: 'present'
Data type: String[1]
A Linux user or group
Data type: String[1]
The selinux user to map to
This class will either install or uninstall a SELinux module from a running system. This module allows an admin to keep .te files in text form in a repository, while allowing the system to compile and manage SELinux modules.
Concepts incorporated from: http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/
devel package
selinux::module{ 'apache':
ensure => 'present',
source_te => 'puppet:///modules/selinux/apache.te',
builder => 'simple'
}dependent packages like make.
selinux::module{ 'mymodule':
ensure => 'present',
source_te => 'puppet:///modules/profile/selinux/mymodule.te',
source_fc => 'puppet:///modules/profile/selinux/mymodule.fc',
source_if => 'puppet:///modules/profile/selinux/mymodule.if',
builder => 'refpolicy'
}$content = @("END")
policy_module(zabbix_fix, 0.1)
require {
type zabbix_t;
type unreserved_port_t;
class tcp_socket name_connect;
}
allow zabbix_t unreserved_port_t:tcp_socket name_connect;
| END
selinux::module{ 'zabbix_fix':
ensure => 'present',
content_te => $content,
builder => 'simple'
}The following parameters are available in the selinux::module defined type:
Data type: Enum['absent', 'present']
present or absent
Default value: 'present'
Data type: Optional[String]
the source file (either a puppet URI or local file) of a pre-compiled SELinux policy package. Mutually excludsive with using source files.
Default value: undef
Data type: Optional[String]
the source file (either a puppet URI or local file) of the SELinux .te file
Default value: undef
Data type: Optional[String]
the source file (either a puppet URI or local file) of the SELinux .fc file
Default value: undef
Data type: Optional[String]
the source file (either a puppet URI or local file) of the SELinux .if file
Default value: undef
Data type: Optional[String]
content of the SELinux .te file
Default value: undef
Data type: Optional[String]
content of the SELinux .fc file
Default value: undef
Data type: Optional[String]
content of the SELinux .if file
Default value: undef
Data type: Optional[Enum['simple', 'refpolicy']]
either 'simple' or 'refpolicy'. The simple builder attempts to use checkmodule to build the module, whereas 'refpolicy' uses the refpolicy framework, but requires 'make'
Default value: undef
Set SELinux type to permissive
selinux::permissive { 'oddjob_mkhomedir_t':
ensure => 'present'
}The following parameters are available in the selinux::permissive defined type:
Data type: Enum['present', 'absent']
Set to present to add or absent to remove a permissive mode of a type
Default value: 'present'
Data type: String
A particular selinux type to make permissive, like "oddjob_mkhomedir_t"
Default value: $title
This method will manage a local network port context setting, and will persist it across reboots.
selinux::port { 'allow-syslog-relp':
ensure => 'present',
seltype => 'syslogd_port_t',
protocol => 'tcp',
port => 8514,
}The following parameters are available in the selinux::port defined type:
Data type: Enum['present', 'absent']
Set to present to add or absent to remove a port context.
Default value: 'present'
Data type: String
An SELinux port type
Data type: Enum['tcp', 'udp']
Either 'tcp', 'udp', 'ipv4' or 'ipv6'
Data type: Optional[Integer[1,65535]]
A network port number, like 8514,
Default value: undef
Data type: Optional[Tuple[Integer[1,65535], 2, 2]]
A port-range tuple, eg. [9090, 9095].
Default value: undef
Manage SELinux fcontext definitions. You should use selinux::fcontext instead of this directly.
The following properties are available in the selinux_fcontext type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Valid values: %r{^[abcdflps]$}
The file type to match
Default value: a
Valid values: %r{\w+}
The SELinux range
Valid values: %r{\w+}
The SELinux role
Valid values: %r{\w+}, <<none>>
The SELinux type to apply to the paths
Valid values: %r{\w+}
The SELinux user name
The following parameters are available in the selinux_fcontext type.
Path regular expression
The specific backend to use for this selinux_fcontext resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
The namevar. Should be of the format pathspec_filetype
Manage SELinux fcontext equivalence definitions. You should use selinux::fcontext instead of this directly.
The following properties are available in the selinux_fcontext_equivalence type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The target of the equivalence. ie. the path that this resource will be equivalent to
The following parameters are available in the selinux_fcontext_equivalence type.
The path to set equivalence for
The specific backend to use for this selinux_fcontext_equivalence resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
Manage SELinux login definitions. You should use selinux::login instead of this directly.
The following properties are available in the selinux_login type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The name of the linux user or group to map.
The selinux user to map to.
Valid values: policy, local
Source of the login configuration - either policy or local
The following parameters are available in the selinux_login type.
The specific backend to use for this selinux_login resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Should be of the form "linuxuser_selinuxuser" or the type may misbehave
Manage SELinux permissive types.
The following properties are available in the selinux_permissive type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the selinux_permissive type.
Valid values: true, false
A read-only attribue indicating whether the type is locally customized
The specific backend to use for this selinux_permissive resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
namevar
The SELinux type that should be permissive
Manage SELinux port definitions. You should use selinux::port instead of this directly.
The following properties are available in the selinux_port type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The high end of the port range to manage
The low end of the port range to manage
Valid values: tcp, udp
The protocol of the SELinux port definition
The SELinux type of the SELinux port definition
Valid values: policy, local
Source of the port configuration - either policy or local
The following parameters are available in the selinux_port type.
The specific backend to use for this selinux_port resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Should be of the form "protocol_lowport-highport" or the type may misbehave