From 8d9d51df8ad48fb0e5cf2dd8b4d20a517b497b15 Mon Sep 17 00:00:00 2001 From: Benjamin Akhras Date: Tue, 12 Nov 2019 23:44:31 +0100 Subject: [PATCH 1/9] Add selinux support --- data/Linux-kernel.yaml | 1 + manifests/globals.pp | 4 ++++ manifests/init.pp | 4 ++++ manifests/install.pp | 9 +++++++++ 4 files changed, 18 insertions(+) diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml index e6e88b929..81f464aed 100644 --- a/data/Linux-kernel.yaml +++ b/data/Linux-kernel.yaml @@ -1,6 +1,7 @@ --- icinga2::globals::package_name: icinga2 icinga2::globals::service_name: icinga2 +icinga2::globals::selinux_name: icinga2-selinux icinga2::globals::service_reload: service icinga2 reload icinga2::globals::ido_mysql_package_name: icinga2-ido-mysql icinga2::globals::ido_mysql_schema: /usr/share/icinga2-ido-mysql/schema/mysql.sql diff --git a/manifests/globals.pp b/manifests/globals.pp index a27a268b1..c6c5dc4ad 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -11,6 +11,9 @@ # [*package_name*] # The name of the icinga package to manage. # +# [*selinux_name*] +# The name of the icinga selinux package. +# # [*service_name*] # The name of the icinga service to manage. # @@ -81,6 +84,7 @@ # class icinga2::globals( String $package_name, + String $selinux_name, String $service_name, String $ido_mysql_schema, String $ido_pgsql_schema, diff --git a/manifests/init.pp b/manifests/init.pp index f7a8d3f22..f52a3c4e7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,6 +19,9 @@ # [*manage_package*] # If set to false packages aren't managed. Defaults to true. # +# [*manage_selinux*] +# If set to true the icinga selinux package is installed. Defaults to false. +# # [*manage_service*] # If set to true the service is managed otherwise the service also # isn't restarted if a config file changed. Defaults to true. @@ -144,6 +147,7 @@ Boolean $enable = true, Boolean $manage_repo = false, Boolean $manage_package = true, + Boolean $manage_selinux = false, Boolean $manage_service = true, Boolean $purge_features = true, Hash $constants = {}, diff --git a/manifests/install.pp b/manifests/install.pp index 179aa41a0..5e51decf5 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -18,6 +18,8 @@ $package_name = $::icinga2::globals::package_name $manage_package = $::icinga2::manage_package + $selinux_name = $::icinga2::globals::selinux_name + $manage_selinux = $::icinga2::manage_selinux $cert_dir = $::icinga2::globals::cert_dir $conf_dir = $::icinga2::globals::conf_dir $user = $::icinga2::globals::user @@ -30,6 +32,13 @@ ensure => installed, before => File[$cert_dir, $conf_dir], } + + if $manage_selinux { + package { $selinux_name: + ensure => installed, + after => [Package[$package_name], File[$cert_dir, $conf_dir]], + } + } } file { [$cert_dir, $conf_dir]: From 5b5a8d0d159603035b9fdf9351b2ad1290efd87f Mon Sep 17 00:00:00 2001 From: Benjamin Akhras Date: Fri, 15 Nov 2019 00:44:38 +0100 Subject: [PATCH 2/9] exec restorecon --- manifests/install.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/install.pp b/manifests/install.pp index 5e51decf5..8af8893c1 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -37,6 +37,9 @@ package { $selinux_name: ensure => installed, after => [Package[$package_name], File[$cert_dir, $conf_dir]], + } ~> + exec { '/usr/sbin/restorecon -R -F /var/lib/icinga2': + refreshonly => true } } } From f98ce68ebdbd13dfc923fffdb28e915637593b2b Mon Sep 17 00:00:00 2001 From: Benjamin Akhras Date: Tue, 12 Nov 2019 23:44:31 +0100 Subject: [PATCH 3/9] Add selinux support --- data/Linux-kernel.yaml | 1 + manifests/globals.pp | 4 ++++ manifests/init.pp | 4 ++++ manifests/install.pp | 9 +++++++++ 4 files changed, 18 insertions(+) diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml index e6e88b929..81f464aed 100644 --- a/data/Linux-kernel.yaml +++ b/data/Linux-kernel.yaml @@ -1,6 +1,7 @@ --- icinga2::globals::package_name: icinga2 icinga2::globals::service_name: icinga2 +icinga2::globals::selinux_name: icinga2-selinux icinga2::globals::service_reload: service icinga2 reload icinga2::globals::ido_mysql_package_name: icinga2-ido-mysql icinga2::globals::ido_mysql_schema: /usr/share/icinga2-ido-mysql/schema/mysql.sql diff --git a/manifests/globals.pp b/manifests/globals.pp index a27a268b1..c6c5dc4ad 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -11,6 +11,9 @@ # [*package_name*] # The name of the icinga package to manage. # +# [*selinux_name*] +# The name of the icinga selinux package. +# # [*service_name*] # The name of the icinga service to manage. # @@ -81,6 +84,7 @@ # class icinga2::globals( String $package_name, + String $selinux_name, String $service_name, String $ido_mysql_schema, String $ido_pgsql_schema, diff --git a/manifests/init.pp b/manifests/init.pp index f7a8d3f22..f52a3c4e7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,6 +19,9 @@ # [*manage_package*] # If set to false packages aren't managed. Defaults to true. # +# [*manage_selinux*] +# If set to true the icinga selinux package is installed. Defaults to false. +# # [*manage_service*] # If set to true the service is managed otherwise the service also # isn't restarted if a config file changed. Defaults to true. @@ -144,6 +147,7 @@ Boolean $enable = true, Boolean $manage_repo = false, Boolean $manage_package = true, + Boolean $manage_selinux = false, Boolean $manage_service = true, Boolean $purge_features = true, Hash $constants = {}, diff --git a/manifests/install.pp b/manifests/install.pp index 179aa41a0..5e51decf5 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -18,6 +18,8 @@ $package_name = $::icinga2::globals::package_name $manage_package = $::icinga2::manage_package + $selinux_name = $::icinga2::globals::selinux_name + $manage_selinux = $::icinga2::manage_selinux $cert_dir = $::icinga2::globals::cert_dir $conf_dir = $::icinga2::globals::conf_dir $user = $::icinga2::globals::user @@ -30,6 +32,13 @@ ensure => installed, before => File[$cert_dir, $conf_dir], } + + if $manage_selinux { + package { $selinux_name: + ensure => installed, + after => [Package[$package_name], File[$cert_dir, $conf_dir]], + } + } } file { [$cert_dir, $conf_dir]: From 65c0d924b27be7df4120f1f32678afec23cee44c Mon Sep 17 00:00:00 2001 From: Benjamin Akhras Date: Fri, 15 Nov 2019 00:44:38 +0100 Subject: [PATCH 4/9] exec restorecon --- manifests/install.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/install.pp b/manifests/install.pp index 5e51decf5..8af8893c1 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -37,6 +37,9 @@ package { $selinux_name: ensure => installed, after => [Package[$package_name], File[$cert_dir, $conf_dir]], + } ~> + exec { '/usr/sbin/restorecon -R -F /var/lib/icinga2': + refreshonly => true } } } From d5fde3d28d8909bcc6ecd7019c15d628d32dda3d Mon Sep 17 00:00:00 2001 From: Benjamin Akhras Date: Mon, 27 Jan 2020 23:19:34 +0100 Subject: [PATCH 5/9] Add hieradata for manage_selinux, remove oboslete exec for manage_selinux --- data/RedHat-family-7.yaml | 2 ++ data/RedHat-family-8.yaml | 2 ++ manifests/install.pp | 3 --- 3 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 data/RedHat-family-7.yaml create mode 100644 data/RedHat-family-8.yaml diff --git a/data/RedHat-family-7.yaml b/data/RedHat-family-7.yaml new file mode 100644 index 000000000..8aecdb859 --- /dev/null +++ b/data/RedHat-family-7.yaml @@ -0,0 +1,2 @@ +--- +icinga2::manage_selinux: %{facts.os.seliunx} diff --git a/data/RedHat-family-8.yaml b/data/RedHat-family-8.yaml new file mode 100644 index 000000000..8aecdb859 --- /dev/null +++ b/data/RedHat-family-8.yaml @@ -0,0 +1,2 @@ +--- +icinga2::manage_selinux: %{facts.os.seliunx} diff --git a/manifests/install.pp b/manifests/install.pp index 8af8893c1..5e51decf5 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -37,9 +37,6 @@ package { $selinux_name: ensure => installed, after => [Package[$package_name], File[$cert_dir, $conf_dir]], - } ~> - exec { '/usr/sbin/restorecon -R -F /var/lib/icinga2': - refreshonly => true } } } From 66749acc01b685c26bd0bc502853abdf2dc5e376 Mon Sep 17 00:00:00 2001 From: Benjamin Akhras Date: Mon, 27 Jan 2020 23:26:01 +0100 Subject: [PATCH 6/9] fix missing qoutes in Redhat hiera yaml --- data/RedHat-family-7.yaml | 2 +- data/RedHat-family-8.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/RedHat-family-7.yaml b/data/RedHat-family-7.yaml index 8aecdb859..181f71b78 100644 --- a/data/RedHat-family-7.yaml +++ b/data/RedHat-family-7.yaml @@ -1,2 +1,2 @@ --- -icinga2::manage_selinux: %{facts.os.seliunx} +icinga2::manage_selinux: "%{facts.os.seliunx}" diff --git a/data/RedHat-family-8.yaml b/data/RedHat-family-8.yaml index 8aecdb859..181f71b78 100644 --- a/data/RedHat-family-8.yaml +++ b/data/RedHat-family-8.yaml @@ -1,2 +1,2 @@ --- -icinga2::manage_selinux: %{facts.os.seliunx} +icinga2::manage_selinux: "%{facts.os.seliunx}" From dc6474539327bebaedcf0c488330e5fec869de66 Mon Sep 17 00:00:00 2001 From: Benjamin Akhras Date: Tue, 28 Jan 2020 00:17:21 +0100 Subject: [PATCH 7/9] facts only come as strings, maybe use an ENUM as datatype? fix typo in hieradata --- data/RedHat-family-7.yaml | 2 +- data/RedHat-family-8.yaml | 2 +- manifests/init.pp | 2 +- manifests/install.pp | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/data/RedHat-family-7.yaml b/data/RedHat-family-7.yaml index 181f71b78..d546e3922 100644 --- a/data/RedHat-family-7.yaml +++ b/data/RedHat-family-7.yaml @@ -1,2 +1,2 @@ --- -icinga2::manage_selinux: "%{facts.os.seliunx}" +icinga2::manage_selinux: "%{facts.os.selinux.enabled}" diff --git a/data/RedHat-family-8.yaml b/data/RedHat-family-8.yaml index 181f71b78..d546e3922 100644 --- a/data/RedHat-family-8.yaml +++ b/data/RedHat-family-8.yaml @@ -1,2 +1,2 @@ --- -icinga2::manage_selinux: "%{facts.os.seliunx}" +icinga2::manage_selinux: "%{facts.os.selinux.enabled}" diff --git a/manifests/init.pp b/manifests/init.pp index f52a3c4e7..d452bc52d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -147,7 +147,7 @@ Boolean $enable = true, Boolean $manage_repo = false, Boolean $manage_package = true, - Boolean $manage_selinux = false, + Variant[Boolean, String] $manage_selinux = false, Boolean $manage_service = true, Boolean $purge_features = true, Hash $constants = {}, diff --git a/manifests/install.pp b/manifests/install.pp index 5e51decf5..697169325 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -33,10 +33,10 @@ before => File[$cert_dir, $conf_dir], } - if $manage_selinux { + if str2bool($manage_selinux) { package { $selinux_name: - ensure => installed, - after => [Package[$package_name], File[$cert_dir, $conf_dir]], + ensure => installed, + require => Package[$package_name], } } } From c689ceacf46a4f75d6d3b3474caf30ac9ac4b781 Mon Sep 17 00:00:00 2001 From: Benjamin Akhras Date: Tue, 28 Jan 2020 00:32:06 +0100 Subject: [PATCH 8/9] selinux_name shouldn't be required --- manifests/globals.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/globals.pp b/manifests/globals.pp index c6c5dc4ad..2bfc82866 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -84,7 +84,6 @@ # class icinga2::globals( String $package_name, - String $selinux_name, String $service_name, String $ido_mysql_schema, String $ido_pgsql_schema, @@ -103,6 +102,7 @@ Optional[String] $ido_mysql_package_name = undef, Optional[String] $ido_pgsql_package_name = undef, Optional[String] $service_reload = undef, + Optional[String] $selinux_name = unde, ) { assert_private() From c71d295fe603e3096d2f277daa1bfe892cadc21f Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Fri, 21 Feb 2020 14:00:14 +0100 Subject: [PATCH 9/9] rework and add unit test pull request #602 from b3n4kh/selinux --- data/Linux-kernel.yaml | 1 - data/RedHat-family-5.yaml | 1 + data/RedHat-family-6.yaml | 1 + data/RedHat-family-7.yaml | 2 -- data/RedHat-family-8.yaml | 2 -- data/RedHat-family.yaml | 2 ++ manifests/globals.pp | 8 ++++---- manifests/init.pp | 3 ++- manifests/install.pp | 28 +++++++++++++++++----------- spec/classes/icinga2_spec.rb | 11 +++++++++++ 10 files changed, 38 insertions(+), 21 deletions(-) delete mode 100644 data/RedHat-family-7.yaml delete mode 100644 data/RedHat-family-8.yaml diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml index 81f464aed..e6e88b929 100644 --- a/data/Linux-kernel.yaml +++ b/data/Linux-kernel.yaml @@ -1,7 +1,6 @@ --- icinga2::globals::package_name: icinga2 icinga2::globals::service_name: icinga2 -icinga2::globals::selinux_name: icinga2-selinux icinga2::globals::service_reload: service icinga2 reload icinga2::globals::ido_mysql_package_name: icinga2-ido-mysql icinga2::globals::ido_mysql_schema: /usr/share/icinga2-ido-mysql/schema/mysql.sql diff --git a/data/RedHat-family-5.yaml b/data/RedHat-family-5.yaml index afd3e6388..bded087d0 100644 --- a/data/RedHat-family-5.yaml +++ b/data/RedHat-family-5.yaml @@ -1,2 +1,3 @@ --- icinga2::globals::icinga2_bin: /usr/sbin/icinga2 +icinga2::manage_selinux: false diff --git a/data/RedHat-family-6.yaml b/data/RedHat-family-6.yaml index afd3e6388..bded087d0 100644 --- a/data/RedHat-family-6.yaml +++ b/data/RedHat-family-6.yaml @@ -1,2 +1,3 @@ --- icinga2::globals::icinga2_bin: /usr/sbin/icinga2 +icinga2::manage_selinux: false diff --git a/data/RedHat-family-7.yaml b/data/RedHat-family-7.yaml deleted file mode 100644 index d546e3922..000000000 --- a/data/RedHat-family-7.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -icinga2::manage_selinux: "%{facts.os.selinux.enabled}" diff --git a/data/RedHat-family-8.yaml b/data/RedHat-family-8.yaml deleted file mode 100644 index d546e3922..000000000 --- a/data/RedHat-family-8.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -icinga2::manage_selinux: "%{facts.os.selinux.enabled}" diff --git a/data/RedHat-family.yaml b/data/RedHat-family.yaml index 370ca34a8..374e3ee30 100644 --- a/data/RedHat-family.yaml +++ b/data/RedHat-family.yaml @@ -2,9 +2,11 @@ icinga2::globals::user: icinga icinga2::globals::group: icinga icinga2::globals::icinga2_bin: /sbin/icinga2 +icinga2::globals::selinux_package_name: icinga2-selinux icinga2::repo: baseurl: 'http://packages.icinga.com/epel/%{facts.os.release.major}/release/' descr: ICINGA (stable release for epel) enabled: 1 gpgcheck: 1 gpgkey: http://packages.icinga.com/icinga.key +icinga2::manage_selinux: "%{facts.os.selinux.enabled}" diff --git a/manifests/globals.pp b/manifests/globals.pp index 2bfc82866..f7032d993 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -11,9 +11,6 @@ # [*package_name*] # The name of the icinga package to manage. # -# [*selinux_name*] -# The name of the icinga selinux package. -# # [*service_name*] # The name of the icinga service to manage. # @@ -27,6 +24,9 @@ # CAUTION: This does not manage the group context for the runnig icinga 2 process! # The parameter is only used for group membership of files or directories. # +# [*selinux_package_name*] +# The name of the icinga selinux package. +# # [*ido_mysql_package_name*] # The name of the icinga package that's needed for MySQL. # @@ -99,10 +99,10 @@ Array[String] $reserved, Optional[String] $user = undef, Optional[String] $group = undef, + Optional[String] $selinux_package_name = undef, Optional[String] $ido_mysql_package_name = undef, Optional[String] $ido_pgsql_package_name = undef, Optional[String] $service_reload = undef, - Optional[String] $selinux_name = unde, ) { assert_private() diff --git a/manifests/init.pp b/manifests/init.pp index d452bc52d..d194f254b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,7 +20,8 @@ # If set to false packages aren't managed. Defaults to true. # # [*manage_selinux*] -# If set to true the icinga selinux package is installed. Defaults to false. +# If set to true the icinga selinux package is installed. Default on RedHat family is `facts.os.selinux.enforcing` +# otherwise set to false. Requires a `selinux_package_name` (icinga2::globals) and `manage_package` has to be set to true. # # [*manage_service*] # If set to true the service is managed otherwise the service also diff --git a/manifests/install.pp b/manifests/install.pp index 697169325..ffb569d95 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -16,14 +16,14 @@ assert_private() - $package_name = $::icinga2::globals::package_name - $manage_package = $::icinga2::manage_package - $selinux_name = $::icinga2::globals::selinux_name - $manage_selinux = $::icinga2::manage_selinux - $cert_dir = $::icinga2::globals::cert_dir - $conf_dir = $::icinga2::globals::conf_dir - $user = $::icinga2::globals::user - $group = $::icinga2::globals::group + $package_name = $::icinga2::globals::package_name + $manage_package = $::icinga2::manage_package + $selinux_package_name = $::icinga2::globals::selinux_package_name + $manage_selinux = $::icinga2::manage_selinux + $cert_dir = $::icinga2::globals::cert_dir + $conf_dir = $::icinga2::globals::conf_dir + $user = $::icinga2::globals::user + $group = $::icinga2::globals::group if $manage_package { if $::osfamily == 'windows' { Package { provider => chocolatey, } } @@ -33,15 +33,21 @@ before => File[$cert_dir, $conf_dir], } - if str2bool($manage_selinux) { - package { $selinux_name: + if str2bool($manage_selinux) and $selinux_package_name { + package { $selinux_package_name: ensure => installed, require => Package[$package_name], } } } - file { [$cert_dir, $conf_dir]: + file { [$conf_dir]: + ensure => directory, + owner => $user, + group => $group, + } + + file { [$cert_dir]: ensure => directory, owner => $user, group => $group, diff --git a/spec/classes/icinga2_spec.rb b/spec/classes/icinga2_spec.rb index daaebf675..e646e2bc0 100644 --- a/spec/classes/icinga2_spec.rb +++ b/spec/classes/icinga2_spec.rb @@ -59,6 +59,17 @@ it { should_not contain_package('icinga2').with({ 'ensure' => 'installed' }) } end + context "with manage_selinux => true" do + let(:params) do + {:manage_selinux => true} + end + + case facts[:osfamily] + when 'RedHat' + it { should contain_package('icinga2-selinux').with({ 'ensure' => 'installed' }) } + end + end + context "with confd => false" do let(:params) do {:confd => false}