rendered paste body# selinux puppet demo
# Michael DeHaan <mdehaan@redhat.com>
# Modified by Luke Kanies
# original at http://et.redhat.com/~mdehaan/software/puppet/selinux.pp
$type1 = "user_u:object_r:user_home_dir_t"
$type2 = "user_u:object_r:httpd_sys_content_t"
class selinux_targeted_enforcing {
file { "/etc/selinux/config" :
source => "/tmp/demo_etc_selinux_config"
}
exec { "selinux_enforcing_reboot" :
command => "/usr/bin/reboot",
onlyif => "/usr/sbin/getenforce 0 | grep -q 'Disabled'"
}
exec { "selinux_enforcing":
command => "/usr/sbin/setenforce 1",
onlyif => "/usr/sbin/getenforce 0 | grep -q 'Permissive'"
}
}
# Mmmmm, reusable components
define sebool(ensure) {
$should = $ensure ? { true => "On", false => "Off" }
exec { "sebool-$name":
command => "/usr/sbin/setsebool $name $ensure",
onlyif => "/usr/sbin/getsebool $name | grep -q '$should'"
}
}
class apache_with_homedirs_and_selinux {
package { httpd:
ensure => installed
}
file { "/etc/httpd/conf/httpd.conf" :
source => "/tmp/demo_etc_httpd_conf_httpd.conf",
require => package["httpd"]
}
sebool { httpd_enable_homedirs:
ensure => true,
require => file["/etc/httpd/conf/httpd.conf"], # works fine with components
}
service { httpd:
ensure => "running",
enabled => true, # this does chkconfig
path => "/etc/init.d", # this should be the default
require => package["httpd"]
}
}
define confile(conrecurse = false, contype, mode, owner, ensure) {
file { $name :
mode => $mode,
owner => $owner, # this automatically requires user[$owner]
ensure => $ensure
}
$recurse = $recursive ? { false => "", default => "-R" }
exec { "con-$name":
command => "/usr/bin/chcon $recurse $type $name",
onlyif => "/usr/bin/stat -Z $name --format=%C | grep -q -v '$type'",
require => file["$name"]
}
}
define user_with_homedir() {
user { "$name":
ensure => present,
home => "/home/$name"
}
confile { "/home/$name" :
mode => 711,
owner => $name, # this automatically requires user[$name]
ensure => directory,
contype => $type1,
conrecurse => true,
}
confile { "/home/$name/public_html" : # automatically requires file["/home/$name"]
mode => 755,
owner => $name,
ensure => directory,
contype => $type2,
}
}
class go {
include selinux_targeted_enforcing
include apache_with_homedirs_and_selinux
user_with_homedir { [ "testu1234", "testu5678" ]: }
}
include go