Version information
This version is compatible with:
- Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-selinux', '2.12.0'
Learn more about managing modules with a PuppetfileDocumentation
pupmod-simp-selinux
Table of Contents
Description
Manage active SELinux state and state after a reboot.
Setup
What selinux affects
Manages the following:
- The running state of SELinux
/etc/selinux/config
file- SELinux-related packages
mcstrans
checkpolicy
- etc.
- SELinux-related services
mcstrans
restorecond
Usage
include 'selinux'
Reference
See the [REFERENCE.md][./REFERENCE.md] for a comprehensive overview of the module components.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise
Linux and compatible distributions, such as CentOS. Please see the
metadata.json
file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Development
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
Reference
Table of Contents
Classes
selinux
selinux::config
: Set global SELinux system parametersselinux::install
: Install selinux-related packages not managed by vox_selinuxselinux::service
: Ensures mcstrans and restorecond services managed
Resource types
selinux_login
: Manage SELinux login mapping configuration NOTE: You may need to runrestorecon -RF
on any user home directories that have their default cselinux_state
: Toggle the enforcement of selinux
Data types
Selinux::State
: Types of selinux enforcement
Classes
selinux
The selinux class.
Parameters
The following parameters are available in the selinux
class:
package_ensure
login_resources
manage_mcstrans_package
manage_mcstrans_service
mcstrans_package_name
mcstrans_service_name
manage_restorecond_package
manage_restorecond_service
restorecond_package_name
ensure
kernel_enforce
autorelabel
manage_utils_package
mode
package_ensure
Data type: String
The ensure status of packages to be installed
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })
login_resources
Data type: Optional[Hash]
A hash of resources that should be created on the system as expected by
create_resources()
called on the selinux_login
type
A deep merge strategy is used when performing APL lookups on this value by default.
@example Change default to user_u
selinux::login_resources: "default": seuser: user_u mls_range: s0 "%admins": seuser: staff_u
# This only works if you enable mcstransd
# using selinux::manage_mcstrans_service: true
mls_range: "SystemLow-SystemHigh"
Default value: undef
manage_mcstrans_package
Data type: Boolean
manage_mcstrans_service
Data type: Boolean
mcstrans_package_name
Data type: String
mcstrans_service_name
Data type: String
manage_restorecond_package
Data type: Boolean
manage_restorecond_service
Data type: Boolean
restorecond_package_name
Data type: String
ensure
Data type: Selinux::State
Default value: 'enforcing'
kernel_enforce
Data type: Boolean
Default value: false
autorelabel
Data type: Boolean
Default value: false
manage_utils_package
Data type: Boolean
Default value: true
mode
Data type: Enum['targeted','mls']
Default value: 'targeted'
selinux::config
Set global SELinux system parameters
selinux::install
Install selinux-related packages not managed by vox_selinux
Parameters
The following parameters are available in the selinux::install
class:
manage_utils_package
utils_packages
manage_mcstrans_package
mcstrans_package_name
manage_restorecond_package
restorecond_package_name
package_ensure
manage_utils_package
Data type: Boolean
Default value: pick(getvar('selinux::manage_utils_package'), true)
utils_packages
Data type: Array[String]
Default value: ['checkpolicy']
manage_mcstrans_package
Data type: Boolean
Default value: simplib::lookup('selinux::manage_mcstrans_package')
mcstrans_package_name
Data type: String
Default value: simplib::lookup('selinux::mcstrans_package_name')
manage_restorecond_package
Data type: Boolean
Default value: simplib::lookup('selinux::manage_restorecond_package')
restorecond_package_name
Data type: String
Default value: simplib::lookup('selinux::restorecond_package_name')
package_ensure
Data type: String
Default value: simplib::lookup('selinux::package_ensure', { 'default_value' => simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' } ) } )
selinux::service
Ensures mcstrans and restorecond services managed
Resource types
selinux_login
Manage SELinux login mapping configuration
NOTE: You may need to run restorecon -RF
on any user home directories that
have their default contexts updated. This is particularly important for the
__default__
login entry but cannot be automated given the potential load
and unintended system consequences.
Properties
The following properties are available in the selinux_login
type.
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
mls_range
Valid values: /^.+$/
The Multi-Level Security range to be applied to the login
seuser
Valid values: /^.+$/
The SELinux user to which the login should be mapped.
You can get a list by running semanage user -l
Parameters
The following parameters are available in the selinux_login
type.
force
Valid values: true
, false
, yes
, no
Force the modification of potentially unsafe logins such as "root" and "default"
Default value: false
name
namevar
The user or group name to be managed. Groups must be prefixed with a "%"
provider
The specific backend to use for this selinux_login
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
selinux_state
Toggle the enforcement of selinux
Properties
The following properties are available in the selinux_state
type.
ensure
Valid values: false
, true
, disabled
, permissive
, enforcing
Set the SELinux state on the system
Default value: enforcing
Parameters
The following parameters are available in the selinux_state
type.
autorelabel
Valid values: true
, false
, yes
, no
Automatically determine if the filesystem needs to be relabeled. Enforcing > Permissive > Disabled Going to the right requires relabeling.
Default value: true
name
namevar
An arbitrary, but unique, name for the resource.
provider
The specific backend to use for this selinux_state
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Data types
Selinux::State
Types of selinux enforcement
Alias of
Variant[Boolean, Enum[
'enforcing',
'permissive',
'disabled'
]]
- Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 2.12.0
- [puppetsync] Add EL9 support
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 2.11.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Wed Aug 23 2023 Steven Pritchard steve@sicura.us - 2.10.0
- Add AlmaLinux 8 support
- Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 2.9.0
- Add RockyLinux 8 support
- Mon Jan 23 2023 Michael Riddle mike@sicura.us - 2.8.1
- Added RHEL 9 support
- Fri Jun 03 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 2.8.0
- Update from camptocamp/systemd to puppet/systemd
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 2.7.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Fri Mar 26 2021 Steven Pritchard steven.pritchard@onyxpoint.com - 2.6.3
- Fix dependency cycle when using vox_selinux::boolean
- Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 2.6.3
- Removed EL6 support
- Fri Nov 20 2020 Liz Nemsick lnemsick.simp@gmail.com - 2.6.2-0
- Fixed a bug in which the module would attempt to create
selinux_login
resources whenselinux::login_resources
was set but selinux was disabled. This resulted in an error message 'Could not find a suitable provider for selinux_login' during catalog compilation.
- Wed Nov 18 2020 Trevor Vaughan tvaughan@onyxpoint.com - 2.6.1-0
- Allow users to include
selinux::install
without needing full SELinux system management. This is particularly important when the native types are to be used in different modules but you don't want to include full management just to get the required packages.
- Mon Sep 21 2020 Trevor Vaughan tvaughan@onyxpoint.com - 2.6.0-0
- No longer enable or install mcstransd by default
- It is a user convenience feature and not required for core functionality
- Ensure that mcstransd is added to the GID assigned to
/proc
if one is assigned on the system
- Mon Jan 13 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 2.5.1-0
- Add EL8 defaults for Oracle Linux
- Wed Nov 06 2019 Jeanne Greulich jeanne.greulich@onyxpoint.com - 2.5.1-0
- Defined values for EL8 in data in modules.
- Updated Gemfile versions to ones that support EL8.
- Updated metadata.json to include support for CentOS 8 and RedHat 8
- Added acceptance test nodes for CentOS 8 and RedHat 8
- Removed $:: from top level variables.
- Removed tests for Puppet 4 from travis.yml.
- Bumped upper bound for simp-simplib to < 5.0.0
- Fri Jun 28 2019 Steven Pritchard steven.pritchard@onypoint.com - 2.5.0-0
- Add v2 compliance_markup data
- Add support for puppetlabs-stdlib 6
- Fri Jun 14 2019 Trevor Vaughan tvaughan@onyxpoint.com - 2.4.1-0
- Ensure that the selinux::login_resources Hash performs a deep merge by default.
- Fri Apr 05 2019 Trevor Vaughan tvaughan@onyxpoint.com - 2.4.0-0
- Add
selinux::kernel_enforce
for toggling the enforcement of the selinux state at the kernel command line. - Switch the /etc/selinux/config template over to EPP format.
- Deprecate Puppet 4 support
- Add Puppet 6 support
- Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 2.3.1-0
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Mon Sep 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 2.3.0-0
- Update Hiera 4 to Hiera 5
- Mon Jul 09 2018 Trevor Vaughan tvaughan@onyxpoint.com - 2.3.0-0
- Adds a
selinux_login
custom type that provides for the management of login to user role mappings. - Incorporated the fork of the
voxpupuli-selinux
module assimp-vox_selinux
without conflict - Add support for OEL and Puppet 5
- Fix bug with enforcement switching in the native type
- Mon Apr 23 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 2.2.0-0
- simp_options::selinux was supposed to indicate if the selinux module should be included. Class include lists set in the simp module would include selinux regardless of this setting. This option was also being used to set the state of selinux. This caused confusion so simp_options::selinux setting was removed. The selinux state, set by the ensure parameter, is defaulted to 'enforcing'. This will result in the same behavior as if simp_options::selinux was set to true. See the pupmod-simp-simp module to see which scenarios include selinux by default.
- Thu Dec 07 2017 Steven Pritchard steven.pritchard@onyxpoint.com - 2.1.2-0
- Update README.md from puppet strings
- Fri Sep 15 2017 Nick Miller nick.miller@gmail.com - 2.1.1-0
- Add message to reboot notify
- Wed Jul 12 2017 Liz Nemsick lnemsick.simp@gmail.com - 2.1.0-0
- Rework manifests to ensure mcstrans and restorecond services are not running when selinux is disabled.
- Allow this module to manage restorecond package installation.
- Wed Apr 26 2017 Nick Miller nick.miller@onyxpoint.com - 2.1.0-0
- Moved management of mcstrans and restorecond to the selinux module
- Change default packages ensure to use the catalyst
- Update puppet requirement in metadata.json
- Mon Apr 17 2017 Nick Markowski nmarkowski@keywcorp.com - 2.1.0-0
- Fixed a bug wherein setenforce would run if selinux was disabled
- Changes in selinux state incur a reboot notification
- Tue Mar 28 2017 Nick Miller nick.miller@onyxpoint.com 2.0.2-0
- Defaulted selinux::ensure to the selinux catalyst for better control of selinux enforcement.
- Tue Dec 20 2016 Nick Miller nick.miller@onyxpoint.com 2.0.1-0
- Strongly typed module
- Mon Nov 21 2016 SIMP-Team https://groups.google.com/forum/#!forum/simp 2.0.0-0
- Updated module for compliance markup API v1.0.0 compatibility.
- Wed Aug 31 2016 Jeanne Greulich jeanne.greulich@onyxpoint.com - 1.0.3-0
- Ensure that policycoreutils-python is only installed if not installed elsewhere. This deconflicts with various hotfixes that were needed in other modules.
- Tue Jun 21 2016 Nick Markowski nmarkowski@keywcorp.com - 1.0.2-0
- policycoreutils-python now installed by default.
- Tue Apr 12 2016 Kendall Moore kendall.moore@onyxpoint.com - 1.0.1-0
- Removed custom type deprecation warning
- Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 1.0.0-5
- Added compliance function support
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-4
- Changed puppet-server requirement to puppet
- Sun May 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-3
- Rewrite the native type to properly handle all options.
- Remove incorrect use of !! in the selinux provider.
- Wed Apr 16 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-2
- Update to allow true/false as enable modes so that it can be removed from the sec module.
- Wed Apr 09 2014 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-2
- Added a custom type to set the selinux mode. It autorequires all selboolean types. This replaces the selinux_enable execs in the init manifest.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com 1.0.0-1
- Updated all erb templates to properly scope variables.
- Fri May 03 2013 Trevor Vaughan tvaughan@onyxpoint.com 1.0.0-0
- First cut at an SELinux module.
- The only current functionality is to enable or disable SELinux on the running system in a sane manner.
Dependencies
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- simp/vox_selinux (>= 3.1.0 < 4.0.0)
pupmod-simp-selinux - A Puppet Module for managing SELinux -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.