From 186e6a1c4e1667a896f64c86dd0c33f1bca95424 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Fri, 28 Jun 2024 16:41:59 +0200 Subject: [PATCH] Add SELinux support --- manifests/feature.pp | 1 + manifests/init.pp | 5 ----- manifests/install.pp | 20 ++++++++++++++------ spec/classes/icinga2_spec.rb | 10 ---------- 4 files changed, 15 insertions(+), 21 deletions(-) diff --git a/manifests/feature.pp b/manifests/feature.pp index 953a76fb..11c78738 100644 --- a/manifests/feature.pp +++ b/manifests/feature.pp @@ -23,6 +23,7 @@ ensure => $_ensure, owner => $user, group => $group, + seluser => 'unconfined_u', target => "../features-available/${feature}.conf", require => Concat["${conf_dir}/features-available/${feature}.conf"], notify => Class['icinga2::service'], diff --git a/manifests/init.pp b/manifests/init.pp index d2682562..c04a3ee8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -85,10 +85,6 @@ # @param manage_packages # If set to false packages aren't managed. # -# @param manage_selinux -# If set to true the icinga selinux package is installed. Requires a `selinux_package_name` (icinga2::globals) -# and `manage_packages` has to be set to true. -# # @param manage_service # If set to true the service is managed otherwise the service also # isn't restarted if a config file changed. @@ -118,7 +114,6 @@ Boolean $enable = true, Boolean $manage_repos = false, Boolean $manage_packages = true, - Boolean $manage_selinux = false, Boolean $manage_service = true, Boolean $purge_features = true, Hash $constants = {}, diff --git a/manifests/install.pp b/manifests/install.pp index 4924e8a3..70c1326d 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -10,7 +10,6 @@ $package_name = $icinga2::globals::package_name $manage_packages = $icinga2::manage_packages $selinux_package_name = $icinga2::globals::selinux_package_name - $manage_selinux = $icinga2::manage_selinux $cert_dir = $icinga2::globals::cert_dir $conf_dir = $icinga2::globals::conf_dir $user = $icinga2::globals::user @@ -24,7 +23,7 @@ before => File[$cert_dir, $conf_dir], } - if str2bool($manage_selinux) and $selinux_package_name { + if $facts['os']['selinux']['enabled'] and $selinux_package_name { package { $selinux_package_name: ensure => installed, require => Package[$package_name], @@ -32,9 +31,18 @@ } } - file { [$conf_dir, $cert_dir]: - ensure => directory, - owner => $user, - group => $group, + file { + default: + ensure => directory, + owner => $user, + group => $group, + mode => '0750', + ; + $conf_dir: + seltype => 'icinga2_etc_t', + ; + $cert_dir: + seltype => 'icinga2_var_lib_t', + ; } } diff --git a/spec/classes/icinga2_spec.rb b/spec/classes/icinga2_spec.rb index 6c6f6b58..a555d2fa 100644 --- a/spec/classes/icinga2_spec.rb +++ b/spec/classes/icinga2_spec.rb @@ -51,16 +51,6 @@ it { is_expected.not_to contain_package('icinga2').with({ 'ensure' => 'installed' }) } end - if facts[:os]['family'] == 'RedHat' - context 'with manage_selinux => true' do - let(:params) do - { manage_selinux: true } - end - - it { is_expected.to contain_package('icinga2-selinux').with({ 'ensure' => 'installed' }) } - end - end - context 'with confd => false' do let(:params) do { confd: false }