All pastes #91826 Raw Edit

Luke Kanies

public text v1 · immutable
#91826 ·published 2006-07-18 23:20 UTC
rendered paste body
# selinux puppet demo
# Michael DeHaan <mdehaan@redhat.com>
# Modified by Luke Kanies
# original at http://et.redhat.com/~mdehaan/software/puppet/selinux.pp

$type1 = "user_u:object_r:user_home_dir_t"
$type2 = "user_u:object_r:httpd_sys_content_t"

class selinux_targeted_enforcing {
   file { "/etc/selinux/config" :
       source => "/tmp/demo_etc_selinux_config"
   }
   exec { "selinux_enforcing_reboot" :
       command => "/usr/bin/reboot",
       onlyif => "/usr/sbin/getenforce 0 | grep -q 'Disabled'"
   }
   exec { "selinux_enforcing":
       command => "/usr/sbin/setenforce 1",
       onlyif => "/usr/sbin/getenforce 0 | grep -q 'Permissive'"
   }
}

# Mmmmm, reusable components
define sebool(ensure) {
   $should = $ensure ? { true => "On", false => "Off" }
   exec { "sebool-$name":
       command => "/usr/sbin/setsebool $name $ensure",
       onlyif => "/usr/sbin/getsebool $name | grep -q '$should'"
   }
}

class apache_with_homedirs_and_selinux {
   package { httpd:
       ensure => installed
   }
   file { "/etc/httpd/conf/httpd.conf" :
       source => "/tmp/demo_etc_httpd_conf_httpd.conf",
       require => package["httpd"]
   }
   sebool { httpd_enable_homedirs:
       ensure => true,
       require => file["/etc/httpd/conf/httpd.conf"], # works fine with components
   }
   service { httpd:
       ensure => "running",
       enabled => true, # this does chkconfig
       path => "/etc/init.d", # this should be the default
       require => package["httpd"]
   }
}

define confile(conrecurse = false, contype, mode, owner, ensure) {
   file { $name :
       mode => $mode,
       owner => $owner, # this automatically requires user[$owner]
       ensure => $ensure
   }
   $recurse = $recursive ? { false => "", default => "-R" }
   exec { "con-$name":
       command => "/usr/bin/chcon $recurse $type $name",
       onlyif => "/usr/bin/stat -Z $name --format=%C | grep -q -v '$type'",
       require => file["$name"]
   }
}

define user_with_homedir() {
   user { "$name":
       ensure => present,
       home => "/home/$name"
   }
   confile { "/home/$name" :
       mode => 711,
       owner => $name, # this automatically requires user[$name]
       ensure => directory,
       contype => $type1,
       conrecurse => true,
   }
   confile { "/home/$name/public_html" : # automatically requires file["/home/$name"]
       mode => 755,
       owner => $name,
       ensure => directory,
       contype => $type2,
   }
  
}

class go {
   include selinux_targeted_enforcing
   include apache_with_homedirs_and_selinux
   user_with_homedir { [ "testu1234", "testu5678" ]: }
}

include go