[FEATURE REQUEST] selinux.install_semod / selinux.module_install should accept type enforcement files and policy module files in addition to policy package files

[ggiesen]

Is your feature request related to a problem? Please describe.
salt.states.selinux.module_install (state) and selinux.install_semod (execution module) currently accept only policy packages (.pp) files. However, since these are binary, non-human-readable files, they aren't useful for version-controlling. If the user wants to be able to version control the text, human-readable files (type enforcement - .te) files, it's then left up to the user to compile them and install them.

Describe the solution you'd like
Ideally, salt.states.selinux.module_install and salt.states.selinux.module_install could optionally be fed a type enforcement file (.te) or a policy module file (.mod) and the module would be automatically compiled/packaged before being installed. I'd imagine the simplest state for this would look like:

example_state:
  selinux.module_install:
    - name: [salt://]path/to/module.te
    - type: te

And example of execution module usage:

salt '*' selinux.install_semod [salt://]path/to/module.te type=te

Describe alternatives you've considered
The alternative is manually copy the files to the minion, and manually compile the states before using the selinux.module_install state to install it:

# Copy the type enforcement file to the minion
file_/tmp/module.te:
  file.managed:
    - name: /tmp/module.te
    - source: [salt://]path/to/module.te
    - user: root
    - group: root
    - mode: "0640"

# Compile the TE file to a policy module
cmd_checkmodule_/tmp/module.te:
  cmd.run:
    - name: checkmodule -M -m -o /tmp/module.mod /tmp/module.te
    - require:
        - file_/tmp/module.te

# Package the policy module into a policy package
cmd_semodule_package_/tmp/module.mod:
  cmd.run:
    - name: semodule_package -o /tmp/module.pp -m /tmp/module.mod
    - require:
        - cmd_checkmodule_/tmp/module.te

# Install the policy package:
selinux_module_module:
  selinux.module_install:
    - name: /tmp/module.pp
    - require: 
        - cmd_semodule_package_/tmp/module.mod

# Clean up the type enforcement file
file_absent_/tmp/module.te:
  file.absent:
    - name: /tmp/module.te

# Clean up the policy module file
file_absent_/tmp/module.mod:
  file.absent:
    - name: /tmp/module.mod

# Clean up the policy package file
file_absent_/tmp/module.pp:
  file.absent:
    - name: /tmp/module.pp

Or wrapping the above in a shell script. But either way you end up with a minimum of 2 states to do what should really be accomplished in one.

[garethgreenaway]

@ggiesen Thanks for the report. The best path forward for this feature request would be for the selinux module to be moved out to a salt extension and this feature added to that extension.

[b-a-t]

We ended up writing a macro to wrap this sequence into something reusable.

{%- macro compile(modulename, policy, ver="1.0.0") %}
# where to store local SE policy files
{%- set policy_home='/etc/selinux/local' %}

{{ modulename }}-te:
  file.managed:  # create type enforcement file ('te')
    - name: "{{ policy_home }}/src/{{ modulename }}.te"
    - contents: |
        module {{ modulename }} {{ ver }};  # Change ver when things change

        {{ policy | indent(width=8) }}
    - makedirs: True
    - mode: 0444
    - user: root
    - group: root

# Convert the .te into a policy module (.mod)
# only needs to run when the '.te' has changed!
{{ modulename }}-mod:
  cmd.run:
    - name: checkmodule -M -m -o {{ policy_home }}/policies/{{ modulename }}.mod {{ policy_home }}/src/{{ modulename }}.te
    - cwd: {{ policy_home }}
    - onchanges:
      - file: {{ modulename }}-te

# Compile the .mod into a policy package (.pp)
# below ONLY works when:
# - both .te and .mod do not exist
# - .te is changed (with/without .mod is irrelevant)
# below does NOT work when:
# - .te is not changed, which is as expected = good
{{ modulename }}-pp:
  cmd.run:
    - name: semodule_package -m {{ policy_home }}/policies/{{ modulename }}.mod -o {{ policy_home }}/policies/{{ modulename }}.pp
    - cwd: {{ policy_home }}
    - onchanges:
      - file: {{ modulename }}-te

# Load the new/updated policy
{{ modulename }}-load:
  selinux.module:
    - name: {{ modulename }}
    - source: "{{ policy_home }}/policies/{{ modulename }}.pp"
    - module_state: Enabled
    - install: True
    
    - onchanges:
      - file: {{ modulename }}-te

{%- endmacro %}

[bdrx312]

Is there a good way to write a macro like this for the py or pyobjects renderer? Being able to have reusable components like that can be used without having to use jinja and yaml would be nice for creating robust formulas.