From 174d5cb45e812081687d96d04ae58e4e406304cf Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 21 May 2017 20:57:32 +0200 Subject: [PATCH] Add $manage_selinux parameter We manage selinux in a few places. There are systems where this is prohibited for puppet. We will manage it when it is on enforcing. This parameter allows people to disable it in each class, even if it is on enforcing. --- manifests/agent.pp | 5 +++-- manifests/init.pp | 6 +++++- manifests/params.pp | 1 + manifests/proxy.pp | 3 ++- manifests/server.pp | 3 ++- manifests/web.pp | 3 ++- 6 files changed, 15 insertions(+), 6 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 01bd76345..ecdf15f44 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -257,6 +257,7 @@ $tlsservercertsubject = $zabbix::params::agent_tlsservercertsubject, String $agent_config_owner = $zabbix::params::agent_config_owner, String $agent_config_group = $zabbix::params::agent_config_group, + Boolean $manage_selinux = $zabbix::params::manage_selinux, ) inherits zabbix::params { # Check some if they are boolean @@ -382,11 +383,11 @@ } # the agent doesn't work perfectly fine with selinux # https://support.zabbix.com/browse/ZBX-11631 - if $facts['os']['selinux']['config_mode'] == 'enforcing' { + if $facts['selinux'] == 'enforcing' and $manage_selinux { selinux::module{'zabbix-agent': ensure => 'present', source_te => 'puppet:///modules/zabbix/zabbix-agent.te', - before => Service['zabbix-agent'] + before => Service['zabbix-agent'], } } } diff --git a/manifests/init.pp b/manifests/init.pp index 49c2cdcd6..d3d6b8c92 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -171,7 +171,9 @@ $allowroot = $zabbix::params::server_allowroot, $include_dir = $zabbix::params::server_include, $loadmodulepath = $zabbix::params::server_loadmodulepath, - $loadmodule = $zabbix::params::server_loadmodule,) inherits zabbix::params { + $loadmodule = $zabbix::params::server_loadmodule, + Boolean $manage_selinux = $zabbix::params::manage_selinux, +) inherits zabbix::params { class { '::zabbix::web': zabbix_url => $zabbix_url, database_type => $database_type, @@ -206,6 +208,7 @@ apache_php_upload_max_filesize => $apache_php_upload_max_filesize, apache_php_max_input_time => $apache_php_max_input_time, apache_php_always_populate_raw_post_data => $apache_php_always_populate_raw_post_data, + manage_selinux => $manage_selinux, require => Class['zabbix::server'], } @@ -283,6 +286,7 @@ include_dir => $include_dir, loadmodulepath => $loadmodulepath, loadmodule => $loadmodule, + manage_selinux => $manage_selinux, require => Class['zabbix::database'], } diff --git a/manifests/params.pp b/manifests/params.pp index f43b5e19c..8b2afad25 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -330,6 +330,7 @@ $javagateway_pidfile = '/var/run/zabbix/zabbix_java.pid' $javagateway_startpollers = '5' $javagateway_timeout = '3' + $manage_selinux = $facts['selinux'] # Gem provider may vary based on version/type of puppet install. # This can be a little complicated and may need revisited over time. diff --git a/manifests/proxy.pp b/manifests/proxy.pp index d77973ed9..2bc813e0e 100644 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -413,6 +413,7 @@ $include_dir = $zabbix::params::proxy_include, $loadmodulepath = $zabbix::params::proxy_loadmodulepath, $loadmodule = $zabbix::params::proxy_loadmodule, + Boolean $manage_selinux = $zabbix::params::manage_selinux, ) inherits zabbix::params { # check osfamily, Arch is currently not supported for web @@ -608,7 +609,7 @@ } # check if selinux is active and allow zabbix - if $::osfamily == 'RedHat' and getvar('::selinux_config_mode') == 'enforcing' { + if $facts['os']['selinux']['config_mode'] == 'enforcing' and $manage_selinux { selboolean{'zabbix_can_network': persistent => true, value => 'on', diff --git a/manifests/server.pp b/manifests/server.pp index cf16604ee..4253d7bd5 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -371,6 +371,7 @@ $loadmodule = $zabbix::params::server_loadmodule, $sslcertlocation_dir = $zabbix::params::server_sslcertlocation, $sslkeylocation_dir = $zabbix::params::server_sslkeylocation, + Boolean $manage_selinux = $zabbix::params::manage_selinux, ) inherits zabbix::params { # Only include the repo class if it has not yet been included unless defined(Class['Zabbix::Repo']) { @@ -533,7 +534,7 @@ } # check if selinux is active and allow zabbix - if getvar('::selinux_config_mode') == 'enforcing' { + if $facts['selinux'] == 'enforcing' and $manage_selinux { selboolean{'zabbix_can_network': persistent => true, value => 'on', diff --git a/manifests/web.pp b/manifests/web.pp index 19948e18b..f6dd1e3ce 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -220,6 +220,7 @@ $ldap_clientcert = $zabbix::params::ldap_clientcert, $ldap_clientkey = $zabbix::params::ldap_clientkey, $puppetgem = $zabbix::params::puppetgem, + Boolean $manage_selinux = $zabbix::params::manage_selinux, ) inherits zabbix::params { # check osfamily, Arch is currently not supported for web @@ -463,7 +464,7 @@ } # END if $manage_vhost # check if selinux is active and allow zabbix - if $::osfamily == 'RedHat' and getvar('::selinux_config_mode') == 'enforcing' { + if $facts['selinux'] == 'enforcing' and $manage_selinux { selboolean{'httpd_can_connect_zabbix': persistent => true, value => 'on',