Add SELinux support

voxpupuli · Jun 28, 2024 · 186e6a1 · 186e6a1
1 parent e0a41cd
commit 186e6a1
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 21 deletions.
diff --git a/manifests/feature.pp b/manifests/feature.pp
@@ -23,6 +23,7 @@
       ensure  => $_ensure,
       owner   => $user,
       group   => $group,
+      seluser => 'unconfined_u',
       target  => "../features-available/${feature}.conf",
       require => Concat["${conf_dir}/features-available/${feature}.conf"],
       notify  => Class['icinga2::service'],

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -85,10 +85,6 @@
 # @param manage_packages
 #   If set to false packages aren't managed.
 #
-# @param manage_selinux
-#   If set to true the icinga selinux package is installed. Requires a `selinux_package_name` (icinga2::globals)
-#   and `manage_packages` has to be set to true.
-#
 # @param manage_service
 #   If set to true the service is managed otherwise the service also
 #   isn't restarted if a config file changed.
@@ -118,7 +114,6 @@
   Boolean                    $enable          = true,
   Boolean                    $manage_repos    = false,
   Boolean                    $manage_packages = true,
-  Boolean                    $manage_selinux  = false,
   Boolean                    $manage_service  = true,
   Boolean                    $purge_features  = true,
   Hash                       $constants       = {},

diff --git a/manifests/install.pp b/manifests/install.pp
@@ -10,7 +10,6 @@
   $package_name         = $icinga2::globals::package_name
   $manage_packages      = $icinga2::manage_packages
   $selinux_package_name = $icinga2::globals::selinux_package_name
-  $manage_selinux       = $icinga2::manage_selinux
   $cert_dir             = $icinga2::globals::cert_dir
   $conf_dir             = $icinga2::globals::conf_dir
   $user                 = $icinga2::globals::user
@@ -24,17 +23,26 @@
       before => File[$cert_dir, $conf_dir],
     }
 
-    if str2bool($manage_selinux) and $selinux_package_name {
+    if $facts['os']['selinux']['enabled'] and $selinux_package_name {
       package { $selinux_package_name:
         ensure  => installed,
         require => Package[$package_name],
       }
     }
   }
 
-  file { [$conf_dir, $cert_dir]:
-    ensure => directory,
-    owner  => $user,
-    group  => $group,
+  file { 
+    default:
+      ensure => directory,
+      owner  => $user,
+      group  => $group,
+      mode   => '0750',
+    ;
+    $conf_dir:
+      seltype => 'icinga2_etc_t',
+    ;
+    $cert_dir:
+      seltype => 'icinga2_var_lib_t',
+    ;
   }
 }
diff --git a/spec/classes/icinga2_spec.rb b/spec/classes/icinga2_spec.rb
@@ -51,16 +51,6 @@
         it { is_expected.not_to contain_package('icinga2').with({ 'ensure' => 'installed' }) }
       end
 
-      if facts[:os]['family'] == 'RedHat'
-        context 'with manage_selinux => true' do
-          let(:params) do
-            { manage_selinux: true }
-          end
-
-          it { is_expected.to contain_package('icinga2-selinux').with({ 'ensure' => 'installed' }) }
-        end
-      end
-
       context 'with confd => false' do
         let(:params) do
           { confd: false }