pupmod-simp-selinux

Table of Contents

• Description
• Setup
  • What selinux affects
• Usage
• Reference
• Limitations
• Development

Description

Manage active SELinux state and state after a reboot.

Setup

What selinux affects

Manages the following:

• The running state of SELinux
• /etc/selinux/config file
• SELinux-related packages
  • mcstrans
  • checkpolicy
  • etc.
• SELinux-related services
  • mcstrans
  • restorecond

Usage

include 'selinux'

Reference

See the [REFERENCE.md][./REFERENCE.md] for a comprehensive overview of the module components.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please read our Contribution Guide.

If you find any issues, they can be submitted to our JIRA.

Reference

Table of Contents

Classes

• selinux
• selinux::config: Set global SELinux system parameters
• selinux::install: Install selinux-related packages not managed by vox_selinux
• selinux::service: Ensures mcstrans and restorecond services managed

Resource types

• selinux_login: Manage SELinux login mapping configuration NOTE: You may need to run restorecon -RF on any user home directories that have their default c
• selinux_state: Toggle the enforcement of selinux

Data types

• Selinux::State: Types of selinux enforcement

Classes

selinux

The selinux class.

Parameters

The following parameters are available in the selinux class:

• package_ensure
• login_resources
• manage_mcstrans_package
• manage_mcstrans_service
• mcstrans_package_name
• mcstrans_service_name
• manage_restorecond_package
• manage_restorecond_service
• restorecond_package_name
• ensure
• kernel_enforce
• autorelabel
• manage_utils_package
• mode

package_ensure

Data type: String

The ensure status of packages to be installed

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })

login_resources

Data type: Optional[Hash]

A hash of resources that should be created on the system as expected by create_resources() called on the selinux_login type

A deep merge strategy is used when performing APL lookups on this value by default.

@example Change default to user_u

selinux::login_resources: "default": seuser: user_u mls_range: s0 "%admins": seuser: staff_u

  # This only works if you enable mcstransd
  # using selinux::manage_mcstrans_service: true
  mls_range: "SystemLow-SystemHigh"

Default value: undef

manage_mcstrans_package

Data type: Boolean

manage_mcstrans_service

Data type: Boolean

mcstrans_package_name

Data type: String

mcstrans_service_name

Data type: String

manage_restorecond_package

Data type: Boolean

manage_restorecond_service

Data type: Boolean

restorecond_package_name

Data type: String

ensure

Data type: Selinux::State

Default value: 'enforcing'

kernel_enforce

Data type: Boolean

Default value: false

autorelabel

Data type: Boolean

Default value: false

manage_utils_package

Data type: Boolean

Default value: true

mode

Data type: Enum['targeted','mls']

Default value: 'targeted'

selinux::config

Set global SELinux system parameters

selinux::install

Install selinux-related packages not managed by vox_selinux

Parameters

The following parameters are available in the selinux::install class:

• manage_utils_package
• utils_packages
• manage_mcstrans_package
• mcstrans_package_name
• manage_restorecond_package
• restorecond_package_name
• package_ensure

manage_utils_package

Data type: Boolean

Default value: pick(getvar('selinux::manage_utils_package'), true)

utils_packages

Data type: Array[String]

Default value: ['checkpolicy']

manage_mcstrans_package

Data type: Boolean

Default value: simplib::lookup('selinux::manage_mcstrans_package')

mcstrans_package_name

Data type: String

Default value: simplib::lookup('selinux::mcstrans_package_name')

manage_restorecond_package

Data type: Boolean

Default value: simplib::lookup('selinux::manage_restorecond_package')

restorecond_package_name

Data type: String

Default value: simplib::lookup('selinux::restorecond_package_name')

package_ensure

Data type: String

Default value: simplib::lookup('selinux::package_ensure', { 'default_value' => simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' } ) } )

selinux::service

Ensures mcstrans and restorecond services managed

Resource types

selinux_login

Manage SELinux login mapping configuration

NOTE: You may need to run restorecon -RF on any user home directories that have their default contexts updated. This is particularly important for the __default__ login entry but cannot be automated given the potential load and unintended system consequences.

Properties

The following properties are available in the selinux_login type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

mls_range

Valid values: /^.+$/

The Multi-Level Security range to be applied to the login

seuser

Valid values: /^.+$/

The SELinux user to which the login should be mapped. You can get a list by running semanage user -l

Parameters

The following parameters are available in the selinux_login type.

• force
• name
• provider

force

Valid values: true, false, yes, no

Force the modification of potentially unsafe logins such as "root" and "default"

Default value: false

name

namevar

The user or group name to be managed. Groups must be prefixed with a "%"

provider

The specific backend to use for this selinux_login resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

selinux_state

Toggle the enforcement of selinux

Properties

The following properties are available in the selinux_state type.

ensure

Valid values: false, true, disabled, permissive, enforcing

Set the SELinux state on the system

Default value: enforcing

Parameters

The following parameters are available in the selinux_state type.

• autorelabel
• name
• provider

autorelabel

Valid values: true, false, yes, no

Automatically determine if the filesystem needs to be relabeled. Enforcing > Permissive > Disabled Going to the right requires relabeling.

Default value: true

name

namevar

An arbitrary, but unique, name for the resource.

provider

The specific backend to use for this selinux_state resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

Data types

Selinux::State

Types of selinux enforcement

Alias of

Variant[Boolean, Enum[
    'enforcing',
    'permissive',
    'disabled'
  ]]

• Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 2.13.0

• [puppetsync] Update module dependencies to support simp-iptables 7.x

• Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 2.12.0

• [puppetsync] Add EL9 support

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 2.11.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Wed Aug 23 2023 Steven Pritchard steve@sicura.us - 2.10.0

• Add AlmaLinux 8 support

• Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 2.9.0

• Add RockyLinux 8 support

• Mon Jan 23 2023 Michael Riddle mike@sicura.us - 2.8.1

• Added RHEL 9 support

• Fri Jun 03 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 2.8.0

• Update from camptocamp/systemd to puppet/systemd

• Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 2.7.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Fri Mar 26 2021 Steven Pritchard steven.pritchard@onyxpoint.com - 2.6.3

• Fix dependency cycle when using vox_selinux::boolean

• Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 2.6.3

• Removed EL6 support

• Fri Nov 20 2020 Liz Nemsick lnemsick.simp@gmail.com - 2.6.2-0

• Fixed a bug in which the module would attempt to create selinux_login resources when selinux::login_resources was set but selinux was disabled. This resulted in an error message 'Could not find a suitable provider for selinux_login' during catalog compilation.

• Wed Nov 18 2020 Trevor Vaughan tvaughan@onyxpoint.com - 2.6.1-0

• Allow users to include selinux::install without needing full SELinux system management. This is particularly important when the native types are to be used in different modules but you don't want to include full management just to get the required packages.

• Mon Sep 21 2020 Trevor Vaughan tvaughan@onyxpoint.com - 2.6.0-0

• No longer enable or install mcstransd by default
  • It is a user convenience feature and not required for core functionality
• Ensure that mcstransd is added to the GID assigned to /proc if one is assigned on the system

• Mon Jan 13 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 2.5.1-0

• Add EL8 defaults for Oracle Linux

• Wed Nov 06 2019 Jeanne Greulich jeanne.greulich@onyxpoint.com - 2.5.1-0

• Defined values for EL8 in data in modules.
• Updated Gemfile versions to ones that support EL8.
• Updated metadata.json to include support for CentOS 8 and RedHat 8
• Added acceptance test nodes for CentOS 8 and RedHat 8
• Removed $:: from top level variables.
• Removed tests for Puppet 4 from travis.yml.
• Bumped upper bound for simp-simplib to < 5.0.0

• Fri Jun 28 2019 Steven Pritchard steven.pritchard@onypoint.com - 2.5.0-0

• Add v2 compliance_markup data
• Add support for puppetlabs-stdlib 6

• Fri Jun 14 2019 Trevor Vaughan tvaughan@onyxpoint.com - 2.4.1-0

• Ensure that the selinux::login_resources Hash performs a deep merge by default.

• Fri Apr 05 2019 Trevor Vaughan tvaughan@onyxpoint.com - 2.4.0-0

• Add selinux::kernel_enforce for toggling the enforcement of the selinux state at the kernel command line.
• Switch the /etc/selinux/config template over to EPP format.
• Deprecate Puppet 4 support
• Add Puppet 6 support

• Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 2.3.1-0

• Update the upper bound of stdlib to < 6.0.0
• Update a URL in the README.md

• Mon Sep 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 2.3.0-0

• Update Hiera 4 to Hiera 5

• Mon Jul 09 2018 Trevor Vaughan tvaughan@onyxpoint.com - 2.3.0-0

• Adds a selinux_login custom type that provides for the management of login to user role mappings.
• Incorporated the fork of the voxpupuli-selinux module as simp-vox_selinux without conflict
• Add support for OEL and Puppet 5
• Fix bug with enforcement switching in the native type

• Mon Apr 23 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 2.2.0-0

• simp_options::selinux was supposed to indicate if the selinux module should be included. Class include lists set in the simp module would include selinux regardless of this setting. This option was also being used to set the state of selinux. This caused confusion so simp_options::selinux setting was removed. The selinux state, set by the ensure parameter, is defaulted to 'enforcing'. This will result in the same behavior as if simp_options::selinux was set to true. See the pupmod-simp-simp module to see which scenarios include selinux by default.

• Thu Dec 07 2017 Steven Pritchard steven.pritchard@onyxpoint.com - 2.1.2-0

• Update README.md from puppet strings

• Fri Sep 15 2017 Nick Miller nick.miller@gmail.com - 2.1.1-0

• Add message to reboot notify

• Wed Jul 12 2017 Liz Nemsick lnemsick.simp@gmail.com - 2.1.0-0

• Rework manifests to ensure mcstrans and restorecond services are not running when selinux is disabled.
• Allow this module to manage restorecond package installation.

• Wed Apr 26 2017 Nick Miller nick.miller@onyxpoint.com - 2.1.0-0

• Moved management of mcstrans and restorecond to the selinux module
• Change default packages ensure to use the catalyst
• Update puppet requirement in metadata.json

• Mon Apr 17 2017 Nick Markowski nmarkowski@keywcorp.com - 2.1.0-0

• Fixed a bug wherein setenforce would run if selinux was disabled
• Changes in selinux state incur a reboot notification

• Tue Mar 28 2017 Nick Miller nick.miller@onyxpoint.com 2.0.2-0

• Defaulted selinux::ensure to the selinux catalyst for better control of selinux enforcement.

• Tue Dec 20 2016 Nick Miller nick.miller@onyxpoint.com 2.0.1-0

• Strongly typed module

• Mon Nov 21 2016 SIMP-Team https://groups.google.com/forum/#!forum/simp 2.0.0-0

• Updated module for compliance markup API v1.0.0 compatibility.

• Wed Aug 31 2016 Jeanne Greulich jeanne.greulich@onyxpoint.com - 1.0.3-0

• Ensure that policycoreutils-python is only installed if not installed elsewhere. This deconflicts with various hotfixes that were needed in other modules.

• Tue Jun 21 2016 Nick Markowski nmarkowski@keywcorp.com - 1.0.2-0

• policycoreutils-python now installed by default.

• Tue Apr 12 2016 Kendall Moore kendall.moore@onyxpoint.com - 1.0.1-0

• Removed custom type deprecation warning

• Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 1.0.0-5

• Added compliance function support

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-4

• Changed puppet-server requirement to puppet

• Sun May 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-3

• Rewrite the native type to properly handle all options.
• Remove incorrect use of !! in the selinux provider.

• Wed Apr 16 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-2

• Update to allow true/false as enable modes so that it can be removed from the sec module.

• Wed Apr 09 2014 Nick Markowski nmarkowski@keywcorp.com - 1.0.0-2

• Added a custom type to set the selinux mode. It autorequires all selboolean types. This replaces the selinux_enable execs in the init manifest.

• Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com 1.0.0-1

• Updated all erb templates to properly scope variables.

• Fri May 03 2013 Trevor Vaughan tvaughan@onyxpoint.com 1.0.0-0

• First cut at an SELinux module.
• The only current functionality is to enable or disable SELinux on the running system in a sane manner.