From 4a9b44699f074464daff10a076ac933ad894c2b8 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Fri, 28 Jun 2024 16:41:59 +0200 Subject: [PATCH 1/6] Fix and extend SELinux support --- REFERENCE.md | 10 ---------- manifests/feature.pp | 1 + manifests/init.pp | 5 ----- manifests/install.pp | 20 ++++++++++++++------ spec/classes/icinga2_spec.rb | 10 ---------- 5 files changed, 15 insertions(+), 31 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index af6bfa7c..d3f95de8 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -202,7 +202,6 @@ The following parameters are available in the `icinga2` class: * [`enable`](#-icinga2--enable) * [`manage_repos`](#-icinga2--manage_repos) * [`manage_packages`](#-icinga2--manage_packages) -* [`manage_selinux`](#-icinga2--manage_selinux) * [`manage_service`](#-icinga2--manage_service) * [`features`](#-icinga2--features) * [`purge_features`](#-icinga2--purge_features) @@ -244,15 +243,6 @@ If set to false packages aren't managed. Default value: `true` -##### `manage_selinux` - -Data type: `Boolean` - -If set to true the icinga selinux package is installed. Requires a `selinux_package_name` (icinga2::globals) -and `manage_packages` has to be set to true. - -Default value: `false` - ##### `manage_service` Data type: `Boolean` diff --git a/manifests/feature.pp b/manifests/feature.pp index 953a76fb..11c78738 100644 --- a/manifests/feature.pp +++ b/manifests/feature.pp @@ -23,6 +23,7 @@ ensure => $_ensure, owner => $user, group => $group, + seluser => 'unconfined_u', target => "../features-available/${feature}.conf", require => Concat["${conf_dir}/features-available/${feature}.conf"], notify => Class['icinga2::service'], diff --git a/manifests/init.pp b/manifests/init.pp index d2682562..c04a3ee8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -85,10 +85,6 @@ # @param manage_packages # If set to false packages aren't managed. # -# @param manage_selinux -# If set to true the icinga selinux package is installed. Requires a `selinux_package_name` (icinga2::globals) -# and `manage_packages` has to be set to true. -# # @param manage_service # If set to true the service is managed otherwise the service also # isn't restarted if a config file changed. @@ -118,7 +114,6 @@ Boolean $enable = true, Boolean $manage_repos = false, Boolean $manage_packages = true, - Boolean $manage_selinux = false, Boolean $manage_service = true, Boolean $purge_features = true, Hash $constants = {}, diff --git a/manifests/install.pp b/manifests/install.pp index 4924e8a3..c8f2d2b1 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -10,7 +10,6 @@ $package_name = $icinga2::globals::package_name $manage_packages = $icinga2::manage_packages $selinux_package_name = $icinga2::globals::selinux_package_name - $manage_selinux = $icinga2::manage_selinux $cert_dir = $icinga2::globals::cert_dir $conf_dir = $icinga2::globals::conf_dir $user = $icinga2::globals::user @@ -24,7 +23,7 @@ before => File[$cert_dir, $conf_dir], } - if str2bool($manage_selinux) and $selinux_package_name { + if $facts['os']['selinux']['enabled'] and $selinux_package_name { package { $selinux_package_name: ensure => installed, require => Package[$package_name], @@ -32,9 +31,18 @@ } } - file { [$conf_dir, $cert_dir]: - ensure => directory, - owner => $user, - group => $group, + file { + default: + ensure => directory, + owner => $user, + group => $group, + mode => '0750', + ; + $conf_dir: + seltype => 'icinga2_etc_t', + ; + $cert_dir: + seltype => 'icinga2_var_lib_t', + ; } } diff --git a/spec/classes/icinga2_spec.rb b/spec/classes/icinga2_spec.rb index 6c6f6b58..a555d2fa 100644 --- a/spec/classes/icinga2_spec.rb +++ b/spec/classes/icinga2_spec.rb @@ -51,16 +51,6 @@ it { is_expected.not_to contain_package('icinga2').with({ 'ensure' => 'installed' }) } end - if facts[:os]['family'] == 'RedHat' - context 'with manage_selinux => true' do - let(:params) do - { manage_selinux: true } - end - - it { is_expected.to contain_package('icinga2-selinux').with({ 'ensure' => 'installed' }) } - end - end - context 'with confd => false' do let(:params) do { confd: false } From e1461ad64d445a6094c928c040b9d705c37d75a6 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Fri, 28 Jun 2024 15:57:24 +0000 Subject: [PATCH 2/6] Fix unit test private key permission --- manifests/install.pp | 2 +- spec/classes/elasticsearch_spec.rb | 4 ++-- spec/classes/gelf_spec.rb | 4 ++-- spec/classes/icingadb_spec.rb | 4 ++-- spec/classes/idomysql_spec.rb | 4 ++-- spec/classes/idopgsql_spec.rb | 4 ++-- spec/classes/influxdb2_spec.rb | 4 ++-- spec/classes/influxdb_spec.rb | 4 ++-- 8 files changed, 15 insertions(+), 15 deletions(-) diff --git a/manifests/install.pp b/manifests/install.pp index c8f2d2b1..51335910 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -23,7 +23,7 @@ before => File[$cert_dir, $conf_dir], } - if $facts['os']['selinux']['enabled'] and $selinux_package_name { + if fact('os.selinux.enabled') and $facts['os']['selinux']['enabled'] and $selinux_package_name { package { $selinux_package_name: ensure => installed, require => Package[$package_name], diff --git a/spec/classes/elasticsearch_spec.rb b/spec/classes/elasticsearch_spec.rb index 26d04c20..95196fbf 100644 --- a/spec/classes/elasticsearch_spec.rb +++ b/spec/classes/elasticsearch_spec.rb @@ -23,13 +23,13 @@ when 'FreeBSD' let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } let(:icinga2_user) { 'icinga' } let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } case facts[:os]['family'] when 'Debian' let(:icinga2_user) { 'nagios' } diff --git a/spec/classes/gelf_spec.rb b/spec/classes/gelf_spec.rb index f137894d..e6b54165 100644 --- a/spec/classes/gelf_spec.rb +++ b/spec/classes/gelf_spec.rb @@ -23,13 +23,13 @@ when 'FreeBSD' let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } let(:icinga2_user) { 'icinga' } let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } case facts[:os]['family'] when 'Debian' let(:icinga2_user) { 'nagios' } diff --git a/spec/classes/icingadb_spec.rb b/spec/classes/icingadb_spec.rb index e4c9ffd6..34c60e47 100644 --- a/spec/classes/icingadb_spec.rb +++ b/spec/classes/icingadb_spec.rb @@ -24,14 +24,14 @@ when 'FreeBSD' let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } let(:icinga2_sslfile_owner) { 'icinga' } let(:icinga2_sslfile_mode) { '0640' } let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } let(:icinga2_sslfile_mode) { '0640' } case facts[:os]['family'] when 'Debian' diff --git a/spec/classes/idomysql_spec.rb b/spec/classes/idomysql_spec.rb index 616f136e..9f372a14 100644 --- a/spec/classes/idomysql_spec.rb +++ b/spec/classes/idomysql_spec.rb @@ -42,14 +42,14 @@ let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } let(:ido_mysql_schema_dir) { '/usr/local/share/icinga2-ido-mysql/schema' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } let(:icinga2_user) { 'icinga' } let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } let(:ido_mysql_schema_dir) { '/usr/share/icinga2-ido-mysql/schema' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } case facts[:os]['family'] when 'Debian' let(:icinga2_user) { 'nagios' } diff --git a/spec/classes/idopgsql_spec.rb b/spec/classes/idopgsql_spec.rb index 57995b0d..40e19652 100644 --- a/spec/classes/idopgsql_spec.rb +++ b/spec/classes/idopgsql_spec.rb @@ -25,14 +25,14 @@ let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } let(:ido_pgsql_schema_dir) { '/usr/local/share/icinga2-ido-pgsql/schema' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } let(:icinga2_user) { 'icinga' } let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } let(:ido_pgsql_schema_dir) { '/usr/share/icinga2-ido-pgsql/schema' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } case facts[:os]['family'] when 'Debian' let(:icinga2_user) { 'nagios' } diff --git a/spec/classes/influxdb2_spec.rb b/spec/classes/influxdb2_spec.rb index af80d691..679dde9a 100644 --- a/spec/classes/influxdb2_spec.rb +++ b/spec/classes/influxdb2_spec.rb @@ -23,13 +23,13 @@ when 'FreeBSD' let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } let(:icinga2_user) { 'icinga' } let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } case facts[:os]['family'] when 'Debian' let(:icinga2_user) { 'nagios' } diff --git a/spec/classes/influxdb_spec.rb b/spec/classes/influxdb_spec.rb index dbbb8e33..1b5926af 100644 --- a/spec/classes/influxdb_spec.rb +++ b/spec/classes/influxdb_spec.rb @@ -23,13 +23,13 @@ when 'FreeBSD' let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } let(:icinga2_user) { 'icinga' } let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } - let(:icinga2_sslkey_mode) { '0400' } + let(:icinga2_sslkey_mode) { '0440' } case facts[:os]['family'] when 'Debian' let(:icinga2_user) { 'nagios' } From bcb95be48ac57f79ef1bf0e6e66c89045bbb6402 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Mon, 1 Jul 2024 09:50:56 +0000 Subject: [PATCH 3/6] Readd param manage_selinux, but set default ro true --- REFERENCE.md | 10 ++++++++++ manifests/init.pp | 5 +++++ manifests/install.pp | 3 ++- spec/classes/icinga2_spec.rb | 20 +++++++++++++++++++- 4 files changed, 36 insertions(+), 2 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index d3f95de8..9120611a 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -202,6 +202,7 @@ The following parameters are available in the `icinga2` class: * [`enable`](#-icinga2--enable) * [`manage_repos`](#-icinga2--manage_repos) * [`manage_packages`](#-icinga2--manage_packages) +* [`manage_selinux`](#-icinga2--manage_selinux) * [`manage_service`](#-icinga2--manage_service) * [`features`](#-icinga2--features) * [`purge_features`](#-icinga2--purge_features) @@ -243,6 +244,15 @@ If set to false packages aren't managed. Default value: `true` +##### `manage_selinux` + +Data type: `Boolean` + +If set to true the icinga selinux package is installed if selinux is enabled. Also requires a +`selinux_package_name` (icinga2::globals) and `manage_packages` has to be set to true. + +Default value: `true` + ##### `manage_service` Data type: `Boolean` diff --git a/manifests/init.pp b/manifests/init.pp index c04a3ee8..1bdff57a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -85,6 +85,10 @@ # @param manage_packages # If set to false packages aren't managed. # +# @param manage_selinux +# If set to true the icinga selinux package is installed if selinux is enabled. Also requires a +# `selinux_package_name` (icinga2::globals) and `manage_packages` has to be set to true. +# # @param manage_service # If set to true the service is managed otherwise the service also # isn't restarted if a config file changed. @@ -114,6 +118,7 @@ Boolean $enable = true, Boolean $manage_repos = false, Boolean $manage_packages = true, + Boolean $manage_selinux = true, Boolean $manage_service = true, Boolean $purge_features = true, Hash $constants = {}, diff --git a/manifests/install.pp b/manifests/install.pp index 51335910..7f4cd4b2 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -9,6 +9,7 @@ $package_name = $icinga2::globals::package_name $manage_packages = $icinga2::manage_packages + $manage_selinux = $icinga2::manage_selinux $selinux_package_name = $icinga2::globals::selinux_package_name $cert_dir = $icinga2::globals::cert_dir $conf_dir = $icinga2::globals::conf_dir @@ -23,7 +24,7 @@ before => File[$cert_dir, $conf_dir], } - if fact('os.selinux.enabled') and $facts['os']['selinux']['enabled'] and $selinux_package_name { + if $manage_selinux and fact('os.selinux.enabled') and $facts['os']['selinux']['enabled'] and $selinux_package_name { package { $selinux_package_name: ensure => installed, require => Package[$package_name], diff --git a/spec/classes/icinga2_spec.rb b/spec/classes/icinga2_spec.rb index a555d2fa..8c434b27 100644 --- a/spec/classes/icinga2_spec.rb +++ b/spec/classes/icinga2_spec.rb @@ -43,12 +43,30 @@ it { is_expected.to contain_icinga2__feature('notification').with({ 'ensure' => 'present' }) } end + if facts[:os]['family'] == 'RedHat' + context 'with fact os.selinux.enabled => false' do + let(:facts) do + super().merge({ os: { family: 'RedHat', selinux: { enabled: false } } }) + end + + it { is_expected.not_to contain_package('icinga2-selinux') } + end + + context 'with manage_selinux => false' do + let(:params) do + { manage_selinux: false } + end + + it { is_expected.not_to contain_package('icinga2-selinux') } + end + end + context 'with manage_packages => false' do let(:params) do { manage_packages: false } end - it { is_expected.not_to contain_package('icinga2').with({ 'ensure' => 'installed' }) } + it { is_expected.not_to contain_package('icinga2') } end context 'with confd => false' do From 739ba529bfefcc094224e153629c278a833605f5 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Mon, 8 Jul 2024 07:02:52 +0200 Subject: [PATCH 4/6] Add selinux params to file resources --- manifests/config.pp | 7 +++--- manifests/config/fragment.pp | 7 +++--- manifests/feature.pp | 1 + manifests/feature/api.pp | 40 ++++++++++++++++++++++-------- manifests/feature/elasticsearch.pp | 5 ---- manifests/feature/gelf.pp | 5 ---- manifests/feature/icingadb.pp | 8 +++--- manifests/feature/idomysql.pp | 5 ---- manifests/feature/idopgsql.pp | 5 ---- manifests/feature/influxdb.pp | 5 ---- manifests/feature/influxdb2.pp | 5 ---- manifests/init.pp | 9 +++++++ manifests/install.pp | 4 +-- manifests/object.pp | 7 +++--- manifests/pki/ca.pp | 5 ++-- manifests/query_objects.pp | 7 +++--- 16 files changed, 63 insertions(+), 62 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 58c01af3..250b28ff 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -24,9 +24,10 @@ } File { - owner => $user, - group => $group, - mode => $file_permissions, + owner => $user, + group => $group, + mode => $file_permissions, + seltype => 'icinga2_etc_t', } file { "${conf_dir}/constants.conf": diff --git a/manifests/config/fragment.pp b/manifests/config/fragment.pp index 287389ba..a09b35bc 100644 --- a/manifests/config/fragment.pp +++ b/manifests/config/fragment.pp @@ -52,9 +52,10 @@ ) { if $facts['os']['family'] != 'windows' { Concat { - owner => $icinga2::globals::user, - group => $icinga2::globals::group, - mode => '0640', + owner => $icinga2::globals::user, + group => $icinga2::globals::group, + seltype => 'icinga2_etc_t', + mode => '0640', } } diff --git a/manifests/feature.pp b/manifests/feature.pp index 11c78738..822d307a 100644 --- a/manifests/feature.pp +++ b/manifests/feature.pp @@ -24,6 +24,7 @@ owner => $user, group => $group, seluser => 'unconfined_u', + seltype => 'icinga2_etc_t', target => "../features-available/${feature}.conf", require => Concat["${conf_dir}/features-available/${feature}.conf"], notify => Class['icinga2::service'], diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp index 0a193712..6ea419be 100644 --- a/manifests/feature/api.pp +++ b/manifests/feature/api.pp @@ -185,25 +185,27 @@ # cert directory must exists and icinga binary is required for icinga2 pki require icinga2::install - $icinga2_bin = $icinga2::globals::icinga2_bin - $conf_dir = $icinga2::globals::conf_dir - $cert_dir = $icinga2::globals::cert_dir - $ca_dir = $icinga2::globals::ca_dir - $user = $icinga2::globals::user - $group = $icinga2::globals::group - $node_name = $icinga2::_constants['NodeName'] - $_ssl_key_mode = $facts['os']['family'] ? { + $icinga2_bin = $icinga2::globals::icinga2_bin + $manage_selinux = $icinga2::_selinux + $conf_dir = $icinga2::globals::conf_dir + $cert_dir = $icinga2::globals::cert_dir + $ca_dir = $icinga2::globals::ca_dir + $user = $icinga2::globals::user + $group = $icinga2::globals::group + $node_name = $icinga2::_constants['NodeName'] + $_ssl_key_mode = $facts['os']['family'] ? { 'windows' => undef, default => '0600', } - $_notify = $ensure ? { + $_notify = $ensure ? { 'present' => Class['icinga2::service'], default => undef, } File { - owner => $user, - group => $group, + owner => $user, + group => $group, + seltype => 'icinga2_var_lib_t', } # Set defaults for certificate stuff @@ -357,6 +359,22 @@ create_resources('icinga2::object::endpoint', $endpoints) create_resources('icinga2::object::zone', $zones) +# if $manage_selinux { + # if port is free +# exec { "Add port ${bind_port} for icinga2_port_t": +# command => ['/usr/sbin/semanage', 'port', '-a', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port], +# unless => "/usr/sbin/semanage port -l | grep -qw '^icinga2_port_t.*\s${bind_port}'", +# before => Icinga2::Object['icinga2::object::ApiListener::api'], +# } + + # if port is also used by another app +# exec { "Also open available port ${bind_port} for icinga2_port_t": +# command => ['/usr/sbin/semanage', 'port', '-m', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port], +# onlyif => "/usr/sbin/semanage port -l | grep -qw '^!icinga2_port_t.*\s${bind_port}'", +# before => Icinga2::Object['icinga2::object::ApiListener::api'], +# } +# } + # create object icinga2::object { 'icinga2::object::ApiListener::api': object_name => 'api', diff --git a/manifests/feature/elasticsearch.pp b/manifests/feature/elasticsearch.pp index 8b40e241..1880424d 100644 --- a/manifests/feature/elasticsearch.pp +++ b/manifests/feature/elasticsearch.pp @@ -103,11 +103,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $enable_ssl { $cert = icinga::cert::files( 'ElasticsearchWriter_elasticsearch', diff --git a/manifests/feature/gelf.pp b/manifests/feature/gelf.pp index 996a50e6..5d0e2073 100644 --- a/manifests/feature/gelf.pp +++ b/manifests/feature/gelf.pp @@ -73,11 +73,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $enable_ssl { $cert = icinga::cert::files( 'GelfWriter_gelf', diff --git a/manifests/feature/icingadb.pp b/manifests/feature/icingadb.pp index ed4c3cdd..109b9843 100644 --- a/manifests/feature/icingadb.pp +++ b/manifests/feature/icingadb.pp @@ -108,15 +108,13 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $env_id { file { "${data_dir}/icingadb.env": ensure => file, + owner => $owner, + group => $group, mode => '0600', + seltype => 'icinga2_etc_t', content => sprintf('"%s"', unwrap($env_id)), show_diff => false, tag => 'icinga2::config::file', diff --git a/manifests/feature/idomysql.pp b/manifests/feature/idomysql.pp index 2d281502..e1246a14 100644 --- a/manifests/feature/idomysql.pp +++ b/manifests/feature/idomysql.pp @@ -142,11 +142,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $enable_ssl { $cert = icinga::cert::files( 'IdoMysqlConnection_ido-mysql', diff --git a/manifests/feature/idopgsql.pp b/manifests/feature/idopgsql.pp index 74773169..541b1ae7 100644 --- a/manifests/feature/idopgsql.pp +++ b/manifests/feature/idopgsql.pp @@ -128,11 +128,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - if $enable_ssl { $cert = icinga::cert::files( 'IdoPgsqlConnection_ido-pgsql', diff --git a/manifests/feature/influxdb.pp b/manifests/feature/influxdb.pp index 57cf5468..a95c9e76 100644 --- a/manifests/feature/influxdb.pp +++ b/manifests/feature/influxdb.pp @@ -139,11 +139,6 @@ undef } - File { - owner => $owner, - group => $group, - } - $host_template = { measurement => $host_measurement, tags => $host_tags } $service_template = { measurement => $service_measurement, tags => $service_tags } diff --git a/manifests/feature/influxdb2.pp b/manifests/feature/influxdb2.pp index 1482a585..ba8ab890 100644 --- a/manifests/feature/influxdb2.pp +++ b/manifests/feature/influxdb2.pp @@ -117,11 +117,6 @@ default => undef, } - File { - owner => $owner, - group => $group, - } - $host_template = { measurement => $host_measurement, tags => $host_tags } $service_template = { measurement => $service_measurement, tags => $service_tags } diff --git a/manifests/init.pp b/manifests/init.pp index 1bdff57a..b65910cb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -126,6 +126,15 @@ ) { require icinga2::globals + $selinux_package_name = $icinga2::globals::selinux_package_name + + # check selinux + $_selinux = if fact('os.selinux.enabled') and $facts['os']['selinux']['enabled'] and $selinux_package_name { + $manage_selinux + } else { + false + } + # load reserved words $_reserved = $icinga2::globals::reserved diff --git a/manifests/install.pp b/manifests/install.pp index 7f4cd4b2..577ec2ed 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -9,7 +9,7 @@ $package_name = $icinga2::globals::package_name $manage_packages = $icinga2::manage_packages - $manage_selinux = $icinga2::manage_selinux + $manage_selinux = $icinga2::_selinux $selinux_package_name = $icinga2::globals::selinux_package_name $cert_dir = $icinga2::globals::cert_dir $conf_dir = $icinga2::globals::conf_dir @@ -24,7 +24,7 @@ before => File[$cert_dir, $conf_dir], } - if $manage_selinux and fact('os.selinux.enabled') and $facts['os']['selinux']['enabled'] and $selinux_package_name { + if $manage_selinux { package { $selinux_package_name: ensure => installed, require => Package[$package_name], diff --git a/manifests/object.pp b/manifests/object.pp index e3d238e1..41208867 100644 --- a/manifests/object.pp +++ b/manifests/object.pp @@ -72,9 +72,10 @@ } # windows default: { Concat { - owner => $icinga2::globals::user, - group => $icinga2::globals::group, - mode => '0640', + owner => $icinga2::globals::user, + group => $icinga2::globals::group, + seltype => 'icinga2_etc_t', + mode => '0640', } } # default } diff --git a/manifests/pki/ca.pp b/manifests/pki/ca.pp index fc89412d..2e842d8d 100644 --- a/manifests/pki/ca.pp +++ b/manifests/pki/ca.pp @@ -39,8 +39,9 @@ $_ssl_cacert_path = "${cert_dir}/ca.crt" File { - owner => $user, - group => $group, + owner => $user, + group => $group, + seltype => 'icinga2_var_lib_t', } if $::facts['os']['family'] != 'windows' { diff --git a/manifests/query_objects.pp b/manifests/query_objects.pp index d5002768..1a11c0e8 100644 --- a/manifests/query_objects.pp +++ b/manifests/query_objects.pp @@ -22,9 +22,10 @@ } # windows default: { Concat { - owner => $icinga2::globals::user, - group => $icinga2::globals::group, - mode => '0640', + owner => $icinga2::globals::user, + group => $icinga2::globals::group, + seltype => 'icinga2_etc_t', + mode => '0640', } } # default } From be363f1b1d5b88ef2f5c68befd9fb8b174485efa Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Mon, 8 Jul 2024 16:35:55 +0200 Subject: [PATCH 5/6] Add port management in api feature for selinux --- manifests/feature/api.pp | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp index 6ea419be..d9da29e4 100644 --- a/manifests/feature/api.pp +++ b/manifests/feature/api.pp @@ -359,21 +359,21 @@ create_resources('icinga2::object::endpoint', $endpoints) create_resources('icinga2::object::zone', $zones) -# if $manage_selinux { + if $manage_selinux and $bind_port { # if port is free -# exec { "Add port ${bind_port} for icinga2_port_t": -# command => ['/usr/sbin/semanage', 'port', '-a', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port], -# unless => "/usr/sbin/semanage port -l | grep -qw '^icinga2_port_t.*\s${bind_port}'", -# before => Icinga2::Object['icinga2::object::ApiListener::api'], -# } + exec { "Add port ${bind_port} for icinga2_port_t": + command => ['/usr/sbin/semanage', 'port', '-a', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port], + unless => "/usr/sbin/semanage port -l | grep -qw '\\s${bind_port}'", + before => Icinga2::Object['icinga2::object::ApiListener::api'], + } # if port is also used by another app -# exec { "Also open available port ${bind_port} for icinga2_port_t": -# command => ['/usr/sbin/semanage', 'port', '-m', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port], -# onlyif => "/usr/sbin/semanage port -l | grep -qw '^!icinga2_port_t.*\s${bind_port}'", -# before => Icinga2::Object['icinga2::object::ApiListener::api'], -# } -# } + exec { "Add available port ${bind_port} also for icinga2_port_t": + command => ['/usr/sbin/semanage', 'port', '-m', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port], + onlyif => "/usr/sbin/semanage port -l | grep -wv '^icinga2_port_t' | grep -wq '\s${bind_port}'", + before => Icinga2::Object['icinga2::object::ApiListener::api'], + } + } # create object icinga2::object { 'icinga2::object::ApiListener::api': From 4538a79680ff0784c4ce4eefe7e75114030f4f18 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Thu, 25 Jul 2024 13:31:54 +0000 Subject: [PATCH 6/6] Dismantling to manage_selinux to false by default --- REFERENCE.md | 2 +- manifests/init.pp | 2 +- spec/classes/api_spec.rb | 18 ++++++++++++++++++ spec/classes/icinga2_spec.rb | 19 ++++++++++++++----- 4 files changed, 34 insertions(+), 7 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 9120611a..76e38110 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -251,7 +251,7 @@ Data type: `Boolean` If set to true the icinga selinux package is installed if selinux is enabled. Also requires a `selinux_package_name` (icinga2::globals) and `manage_packages` has to be set to true. -Default value: `true` +Default value: `false` ##### `manage_service` diff --git a/manifests/init.pp b/manifests/init.pp index b65910cb..0d17c9a3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -118,7 +118,7 @@ Boolean $enable = true, Boolean $manage_repos = false, Boolean $manage_packages = true, - Boolean $manage_selinux = true, + Boolean $manage_selinux = false, Boolean $manage_service = true, Boolean $purge_features = true, Hash $constants = {}, diff --git a/spec/classes/api_spec.rb b/spec/classes/api_spec.rb index 37e3304a..11ccc3c7 100644 --- a/spec/classes/api_spec.rb +++ b/spec/classes/api_spec.rb @@ -72,6 +72,24 @@ end end + if facts[:os]['family'] == 'RedHat' + context 'with icinga2::manage_selinux => true, bind_port => 1234' do + let(:pre_condition) do + [ + "class { 'icinga2': manage_selinux => true, features => [], constants => {'NodeName' => 'host.example.org'} }", + ] + end + + let(:params) do + { + bind_port: 1234, + } + end + + it { is_expected.to contain_exec('Add port 1234 for icinga2_port_t') } + end + end + context "with pki => 'puppet'" do let(:params) do { diff --git a/spec/classes/icinga2_spec.rb b/spec/classes/icinga2_spec.rb index 8c434b27..fb594e42 100644 --- a/spec/classes/icinga2_spec.rb +++ b/spec/classes/icinga2_spec.rb @@ -18,6 +18,7 @@ context 'with defaults' do it { is_expected.to contain_package('icinga2').with({ 'ensure' => 'installed' }) } + it { is_expected.not_to contain_package('icinga2-selinux') } it { is_expected.to contain_service('icinga2').with( @@ -44,17 +45,25 @@ end if facts[:os]['family'] == 'RedHat' - context 'with fact os.selinux.enabled => false' do + context 'with manage_selinux => true, fact os.selinux.enabled => true' do let(:facts) do - super().merge({ os: { family: 'RedHat', selinux: { enabled: false } } }) + super().merge({ os: { family: 'RedHat', selinux: { enabled: true } } }) end - it { is_expected.not_to contain_package('icinga2-selinux') } + let(:params) do + { manage_selinux: true } + end + + it { is_expected.to contain_package('icinga2-selinux') } end - context 'with manage_selinux => false' do + context 'with manage_selinux => true, fact os.selinux.enabled => false' do + let(:facts) do + super().merge({ os: { family: 'RedHat', selinux: { enabled: false } } }) + end + let(:params) do - { manage_selinux: false } + { manage_selinux: true } end it { is_expected.not_to contain_package('icinga2-selinux') }