diff --git a/REFERENCE.md b/REFERENCE.md index af6bfa7c..76e38110 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -248,8 +248,8 @@ Default value: `true` Data type: `Boolean` -If set to true the icinga selinux package is installed. Requires a `selinux_package_name` (icinga2::globals) -and `manage_packages` has to be set to true. +If set to true the icinga selinux package is installed if selinux is enabled. Also requires a +`selinux_package_name` (icinga2::globals) and `manage_packages` has to be set to true. Default value: `false` diff --git a/manifests/config.pp b/manifests/config.pp index 58c01af3..250b28ff 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -24,9 +24,10 @@ } File { - owner => $user, - group => $group, - mode => $file_permissions, + owner => $user, + group => $group, + mode => $file_permissions, + seltype => 'icinga2_etc_t', } file { "${conf_dir}/constants.conf": diff --git a/manifests/config/fragment.pp b/manifests/config/fragment.pp index 287389ba..a09b35bc 100644 --- a/manifests/config/fragment.pp +++ b/manifests/config/fragment.pp @@ -52,9 +52,10 @@ ) { if $facts['os']['family'] != 'windows' { Concat { - owner => $icinga2::globals::user, - group => $icinga2::globals::group, - mode => '0640', + owner => $icinga2::globals::user, + group => $icinga2::globals::group, + seltype => 'icinga2_etc_t', + mode => '0640', } } diff --git a/manifests/feature.pp b/manifests/feature.pp index 953a76fb..822d307a 100644 --- a/manifests/feature.pp +++ b/manifests/feature.pp @@ -23,6 +23,8 @@ ensure => $_ensure, owner => $user, group => $group, + seluser => 'unconfined_u', + seltype => 'icinga2_etc_t', target => "../features-available/${feature}.conf", require => Concat["${conf_dir}/features-available/${feature}.conf"], notify => Class['icinga2::service'], diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp index 0a193712..d9da29e4 100644 --- a/manifests/feature/api.pp +++ b/manifests/feature/api.pp @@ -185,25 +185,27 @@ # cert directory must exists and icinga binary is required for icinga2 pki require icinga2::install - $icinga2_bin = $icinga2::globals::icinga2_bin - $conf_dir = $icinga2::globals::conf_dir - $cert_dir = $icinga2::globals::cert_dir - $ca_dir = $icinga2::globals::ca_dir - $user = $icinga2::globals::user - $group = $icinga2::globals::group - $node_name = $icinga2::_constants['NodeName'] - $_ssl_key_mode = $facts['os']['family'] ? { + $icinga2_bin = $icinga2::globals::icinga2_bin + $manage_selinux = $icinga2::_selinux + $conf_dir = $icinga2::globals::conf_dir + $cert_dir = $icinga2::globals::cert_dir + $ca_dir = $icinga2::globals::ca_dir + $user = $icinga2::globals::user + $group = $icinga2::globals::group + $node_name = $icinga2::_constants['NodeName'] + $_ssl_key_mode = $facts['os']['family'] ? { 'windows' => undef, default => '0600', } - $_notify = $ensure ? { + $_notify = $ensure ? { 'present' => Class['icinga2::service'], default => undef, } File { - owner => $user, - group => $group, + owner => $user, + group => $group, + seltype => 'icinga2_var_lib_t', } # Set defaults for certificate stuff @@ -357,6 +359,22 @@ create_resources('icinga2::object::endpoint', $endpoints) create_resources('icinga2::object::zone', $zones) + if $manage_selinux and $bind_port { + # if port is free + exec { "Add port ${bind_port} for icinga2_port_t": + command => ['/usr/sbin/semanage', 'port', '-a', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port], + unless => "/usr/sbin/semanage port -l | grep -qw '\\s${bind_port}'", + before => Icinga2::Object['icinga2::object::ApiListener::api'], + } + + # if port is also used by another app + exec { "Add available port ${bind_port} also for icinga2_port_t": + command => ['/usr/sbin/semanage', 'port', '-m', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port], + onlyif => "/usr/sbin/semanage port -l | grep -wv '^icinga2_port_t' | grep -wq '\s${bind_port}'", + before => Icinga2::Object['icinga2::object::ApiListener::api'], + } + } + # create object icinga2::object { 'icinga2::object::ApiListener::api': object_name => 'api', diff --git a/manifests/feature/elasticsearch.pp b/manifests/feature/elasticsearch.pp index 8b40e241..1880424d 100644 --- a/manifests/feature/elasticsearch.pp +++ b/manifests/feature/elasticsearch.pp @@ -103,11 +103,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $enable_ssl { $cert = icinga::cert::files( 'ElasticsearchWriter_elasticsearch', diff --git a/manifests/feature/gelf.pp b/manifests/feature/gelf.pp index 996a50e6..5d0e2073 100644 --- a/manifests/feature/gelf.pp +++ b/manifests/feature/gelf.pp @@ -73,11 +73,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $enable_ssl { $cert = icinga::cert::files( 'GelfWriter_gelf', diff --git a/manifests/feature/icingadb.pp b/manifests/feature/icingadb.pp index ed4c3cdd..109b9843 100644 --- a/manifests/feature/icingadb.pp +++ b/manifests/feature/icingadb.pp @@ -108,15 +108,13 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $env_id { file { "${data_dir}/icingadb.env": ensure => file, + owner => $owner, + group => $group, mode => '0600', + seltype => 'icinga2_etc_t', content => sprintf('"%s"', unwrap($env_id)), show_diff => false, tag => 'icinga2::config::file', diff --git a/manifests/feature/idomysql.pp b/manifests/feature/idomysql.pp index 2d281502..e1246a14 100644 --- a/manifests/feature/idomysql.pp +++ b/manifests/feature/idomysql.pp @@ -142,11 +142,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $enable_ssl { $cert = icinga::cert::files( 'IdoMysqlConnection_ido-mysql', diff --git a/manifests/feature/idopgsql.pp b/manifests/feature/idopgsql.pp index 74773169..541b1ae7 100644 --- a/manifests/feature/idopgsql.pp +++ b/manifests/feature/idopgsql.pp @@ -128,11 +128,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $enable_ssl { $cert = icinga::cert::files( 'IdoPgsqlConnection_ido-pgsql', diff --git a/manifests/feature/influxdb.pp b/manifests/feature/influxdb.pp index 57cf5468..a95c9e76 100644 --- a/manifests/feature/influxdb.pp +++ b/manifests/feature/influxdb.pp @@ -139,11 +139,6 @@ undef } - File { - owner => $owner, - group => $group, - } - $host_template = { measurement => $host_measurement, tags => $host_tags } $service_template = { measurement => $service_measurement, tags => $service_tags } diff --git a/manifests/feature/influxdb2.pp b/manifests/feature/influxdb2.pp index 1482a585..ba8ab890 100644 --- a/manifests/feature/influxdb2.pp +++ b/manifests/feature/influxdb2.pp @@ -117,11 +117,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - $host_template = { measurement => $host_measurement, tags => $host_tags } $service_template = { measurement => $service_measurement, tags => $service_tags } diff --git a/manifests/init.pp b/manifests/init.pp index d2682562..0d17c9a3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -86,8 +86,8 @@ # If set to false packages aren't managed. # # @param manage_selinux -# If set to true the icinga selinux package is installed. Requires a `selinux_package_name` (icinga2::globals) -# and `manage_packages` has to be set to true. +# If set to true the icinga selinux package is installed if selinux is enabled. Also requires a +# `selinux_package_name` (icinga2::globals) and `manage_packages` has to be set to true. # # @param manage_service # If set to true the service is managed otherwise the service also @@ -126,6 +126,15 @@ ) { require icinga2::globals + $selinux_package_name = $icinga2::globals::selinux_package_name + + # check selinux + $_selinux = if fact('os.selinux.enabled') and $facts['os']['selinux']['enabled'] and $selinux_package_name { + $manage_selinux + } else { + false + } + # load reserved words $_reserved = $icinga2::globals::reserved diff --git a/manifests/install.pp b/manifests/install.pp index 4924e8a3..577ec2ed 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -9,8 +9,8 @@ $package_name = $icinga2::globals::package_name $manage_packages = $icinga2::manage_packages + $manage_selinux = $icinga2::_selinux $selinux_package_name = $icinga2::globals::selinux_package_name - $manage_selinux = $icinga2::manage_selinux $cert_dir = $icinga2::globals::cert_dir $conf_dir = $icinga2::globals::conf_dir $user = $icinga2::globals::user @@ -24,7 +24,7 @@ before => File[$cert_dir, $conf_dir], } - if str2bool($manage_selinux) and $selinux_package_name { + if $manage_selinux { package { $selinux_package_name: ensure => installed, require => Package[$package_name], @@ -32,9 +32,18 @@ } } - file { [$conf_dir, $cert_dir]: - ensure => directory, - owner => $user, - group => $group, + file { + default: + ensure => directory, + owner => $user, + group => $group, + mode => '0750', + ; + $conf_dir: + seltype => 'icinga2_etc_t', + ; + $cert_dir: + seltype => 'icinga2_var_lib_t', + ; } } diff --git a/manifests/object.pp b/manifests/object.pp index e3d238e1..41208867 100644 --- a/manifests/object.pp +++ b/manifests/object.pp @@ -72,9 +72,10 @@ } # windows default: { Concat { - owner => $icinga2::globals::user, - group => $icinga2::globals::group, - mode => '0640', + owner => $icinga2::globals::user, + group => $icinga2::globals::group, + seltype => 'icinga2_etc_t', + mode => '0640', } } # default } diff --git a/manifests/pki/ca.pp b/manifests/pki/ca.pp index fc89412d..2e842d8d 100644 --- a/manifests/pki/ca.pp +++ b/manifests/pki/ca.pp @@ -39,8 +39,9 @@ $_ssl_cacert_path = "${cert_dir}/ca.crt" File { - owner => $user, - group => $group, + owner => $user, + group => $group, + seltype => 'icinga2_var_lib_t', } if $::facts['os']['family'] != 'windows' { diff --git a/manifests/query_objects.pp b/manifests/query_objects.pp index d5002768..1a11c0e8 100644 --- a/manifests/query_objects.pp +++ b/manifests/query_objects.pp @@ -22,9 +22,10 @@ } # windows default: { Concat { - owner => $icinga2::globals::user, - group => $icinga2::globals::group, - mode => '0640', + owner => $icinga2::globals::user, + group => $icinga2::globals::group, + seltype => 'icinga2_etc_t', + mode => '0640', } } # default } diff --git a/spec/classes/api_spec.rb b/spec/classes/api_spec.rb index 37e3304a..11ccc3c7 100644 --- a/spec/classes/api_spec.rb +++ b/spec/classes/api_spec.rb @@ -72,6 +72,24 @@ end end + if facts[:os]['family'] == 'RedHat' + context 'with icinga2::manage_selinux => true, bind_port => 1234' do + let(:pre_condition) do + [ + "class { 'icinga2': manage_selinux => true, features => [], constants => {'NodeName' => 'host.example.org'} }", + ] + end + + let(:params) do + { + bind_port: 1234, + } + end + + it { is_expected.to contain_exec('Add port 1234 for icinga2_port_t') } + end + end + context "with pki => 'puppet'" do let(:params) do { diff --git a/spec/classes/icinga2_spec.rb b/spec/classes/icinga2_spec.rb index 6c6f6b58..fb594e42 100644 --- a/spec/classes/icinga2_spec.rb +++ b/spec/classes/icinga2_spec.rb @@ -18,6 +18,7 @@ context 'with defaults' do it { is_expected.to contain_package('icinga2').with({ 'ensure' => 'installed' }) } + it { is_expected.not_to contain_package('icinga2-selinux') } it { is_expected.to contain_service('icinga2').with( @@ -43,22 +44,38 @@ it { is_expected.to contain_icinga2__feature('notification').with({ 'ensure' => 'present' }) } end - context 'with manage_packages => false' do - let(:params) do - { manage_packages: false } + if facts[:os]['family'] == 'RedHat' + context 'with manage_selinux => true, fact os.selinux.enabled => true' do + let(:facts) do + super().merge({ os: { family: 'RedHat', selinux: { enabled: true } } }) + end + + let(:params) do + { manage_selinux: true } + end + + it { is_expected.to contain_package('icinga2-selinux') } end - it { is_expected.not_to contain_package('icinga2').with({ 'ensure' => 'installed' }) } - end + context 'with manage_selinux => true, fact os.selinux.enabled => false' do + let(:facts) do + super().merge({ os: { family: 'RedHat', selinux: { enabled: false } } }) + end - if facts[:os]['family'] == 'RedHat' - context 'with manage_selinux => true' do let(:params) do { manage_selinux: true } end - it { is_expected.to contain_package('icinga2-selinux').with({ 'ensure' => 'installed' }) } + it { is_expected.not_to contain_package('icinga2-selinux') } + end + end + + context 'with manage_packages => false' do + let(:params) do + { manage_packages: false } end + + it { is_expected.not_to contain_package('icinga2') } end context 'with confd => false' do