Add $manage_selinux parameter

We manage selinux in a few places. There are systems where this is prohibited for puppet. We will manage it when it is on enforcing. This parameter allows people to disable it in each class, even if it is on enforcing.
voxpupuli · May 21, 2017 · 68e0d61 · 68e0d61
1 parent fa6c6ca
commit 68e0d61
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 6 deletions.
diff --git a/manifests/agent.pp b/manifests/agent.pp
@@ -257,6 +257,7 @@
   $tlsservercertsubject                   = $zabbix::params::agent_tlsservercertsubject,
   String $agent_config_owner              = $zabbix::params::agent_config_owner,
   String $agent_config_group              = $zabbix::params::agent_config_group,
+  Boolean $manage_selinux                 = $zabbix::params::manage_selinux,
 ) inherits zabbix::params {
   # Check some if they are boolean
 
@@ -382,11 +383,11 @@
   }
   # the agent doesn't work perfectly fine with selinux
   # https://support.zabbix.com/browse/ZBX-11631
-  if $facts['os']['selinux']['config_mode'] == 'enforcing' {
+  if $facts['selinux'] == 'enforcing' and $manage_selinux {
     selinux::module{'zabbix-agent':
       ensure    => 'present',
       source_te => 'puppet:///modules/zabbix/zabbix-agent.te',
-      before    => Service['zabbix-agent']
+      before    => Service['zabbix-agent'],
     }
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -171,7 +171,9 @@
   $allowroot                                = $zabbix::params::server_allowroot,
   $include_dir                              = $zabbix::params::server_include,
   $loadmodulepath                           = $zabbix::params::server_loadmodulepath,
-  $loadmodule                               = $zabbix::params::server_loadmodule,) inherits zabbix::params {
+  $loadmodule                               = $zabbix::params::server_loadmodule,
+  Boolean $manage_selinux                   = $zabbix::params::manage_selinux,
+) inherits zabbix::params {
   class { '::zabbix::web':
     zabbix_url                               => $zabbix_url,
     database_type                            => $database_type,
@@ -206,6 +208,7 @@
     apache_php_upload_max_filesize           => $apache_php_upload_max_filesize,
     apache_php_max_input_time                => $apache_php_max_input_time,
     apache_php_always_populate_raw_post_data => $apache_php_always_populate_raw_post_data,
+    manage_selinux                           => $manage_selinux,
     require                                  => Class['zabbix::server'],
   }
 
@@ -283,6 +286,7 @@
     include_dir             => $include_dir,
     loadmodulepath          => $loadmodulepath,
     loadmodule              => $loadmodule,
+    manage_selinux          => $manage_selinux,
     require                 => Class['zabbix::database'],
   }
 

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -330,6 +330,7 @@
   $javagateway_pidfile                      = '/var/run/zabbix/zabbix_java.pid'
   $javagateway_startpollers                 = '5'
   $javagateway_timeout                      = '3'
+  $manage_selinux                           = $facts['selinux']
 
   # Gem provider may vary based on version/type of puppet install.
   # This can be a little complicated and may need revisited over time.

diff --git a/manifests/proxy.pp b/manifests/proxy.pp
@@ -413,6 +413,7 @@
   $include_dir              = $zabbix::params::proxy_include,
   $loadmodulepath           = $zabbix::params::proxy_loadmodulepath,
   $loadmodule               = $zabbix::params::proxy_loadmodule,
+  Boolean $manage_selinux   = $zabbix::params::manage_selinux,
   ) inherits zabbix::params {
 
   # Find if listenip is set. If not, we can set to specific ip or
@@ -603,7 +604,7 @@
   }
 
   # check if selinux is active and allow zabbix
-  if $::osfamily == 'RedHat' and getvar('::selinux_config_mode') == 'enforcing' {
+  if $facts['os']['selinux']['config_mode'] == 'enforcing' and $manage_selinux {
     selboolean{'zabbix_can_network':
       persistent => true,
       value      => 'on',

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -371,6 +371,7 @@
   $loadmodule              = $zabbix::params::server_loadmodule,
   $sslcertlocation_dir     = $zabbix::params::server_sslcertlocation,
   $sslkeylocation_dir      = $zabbix::params::server_sslkeylocation,
+  Boolean $manage_selinux  = $zabbix::params::manage_selinux,
 ) inherits zabbix::params {
   # Only include the repo class if it has not yet been included
   unless defined(Class['Zabbix::Repo']) {
@@ -533,7 +534,7 @@
   }
 
   # check if selinux is active and allow zabbix
-  if getvar('::selinux_config_mode') == 'enforcing' {
+  if $facts['selinux'] == 'enforcing' and $manage_selinux {
     selboolean{'zabbix_can_network':
       persistent => true,
       value      => 'on',

diff --git a/manifests/web.pp b/manifests/web.pp
@@ -220,6 +220,7 @@
   $ldap_clientcert                          = $zabbix::params::ldap_clientcert,
   $ldap_clientkey                           = $zabbix::params::ldap_clientkey,
   $puppetgem                                = $zabbix::params::puppetgem,
+  Boolean $manage_selinux                   = $zabbix::params::manage_selinux,
 ) inherits zabbix::params {
 
   # check osfamily, Arch is currently not supported for web
@@ -463,7 +464,7 @@
   } # END if $manage_vhost
 
   # check if selinux is active and allow zabbix
-  if $::osfamily == 'RedHat' and getvar('::selinux_config_mode') == 'enforcing' {
+  if $facts['selinux'] == 'enforcing' and $manage_selinux {
     selboolean{'httpd_can_connect_zabbix':
       persistent => true,
       value      => 'on',