Merge pull request voxpupuli#195 from vinzent/module_refactor_refpoli…

…cy_test Redesign selinux::module defined type
EmRowlands · Feb 17, 2017 · b4ae78c · b4ae78c
2 parents 67a4d10 + 46425c7
commit b4ae78c
Show file tree

Hide file tree

Showing 16 changed files with 459 additions and 166 deletions.
diff --git a/README.md b/README.md
@@ -37,6 +37,15 @@ running system.
 * Mailinglist: <[email protected]> 
   ([groups.io Webinterface](https://groups.io/g/voxpupuli/topics))
 
+## Upgrading from puppet-selinux 0.8.x
+
+* Previously, module building always used the refpolicy framework. The default
+  module builder is now 'simple', which uses only checkmodule. Not all features are
+  supported with this builder.
+
+  To build modules using the refpolicy framework like previous versions did,
+  specify the  'refpolicy' builder either explicitly per module or globally
+  via the main class
 
 ## Known problems / limitations
 
@@ -51,8 +60,6 @@ running system.
   does) the order is important. If you add /my/folder before /my/folder/subfolder
   only /my/folder will match (limitation of SELinux). There is no such limitation
   to file-contexts defined in SELinux modules. (GH-121)
-* `selinux::module` only allows to add a type enforcment file (`*.te`) but no
-  interfaces (`*.if`) or file-contexts (`*.fc`).
 * While SELinux is disabled the defined types `selinux::boolean`, 
   `selinux::fcontext`, `selinux::port` will produce puppet agent runtime errors 
   because the used tools fail.
@@ -97,12 +104,15 @@ are `target`, `minimum`, and `mls`). Note that disabling SELinux requires a rebo
 to fully take effect. It will run in `permissive` mode until then.
 
 
-### Deploy a custom module
+### Deploy a custom module using the refpolicy framework
 
 ```puppet
 selinux::module { 'resnet-puppet':
-  ensure => 'present',
-  source => 'puppet:///modules/site_puppet/site-puppet.te',
+  ensure    => 'present',
+  source_te => 'puppet:///modules/site_puppet/site-puppet.te',
+  source_fc => 'puppet:///modules/site_puppet/site-puppet.fc',
+  source_if => 'puppet:///modules/site_puppet/site-puppet.if',
+  builder   => 'refpolicy'
 }
 ```
 
@@ -131,9 +141,9 @@ selinux::boolean { 'puppetagent_manage_all_files': }
 * run acceptance tests:
 
 ```
-BEAKER_debug=yes BEAKER_set="centos-6-x64" PUPPET_INSTALL_TYPE="agent" bundle exec rake beaker
-BEAKER_debug=yes BEAKER_set="centos-7-x64" PUPPET_INSTALL_TYPE="agent" bundle exec rake beaker
-BEAKER_debug=yes BEAKER_set="fedora-24-x64" PUPPET_INSTALL_TYPE="agent" bundle exec rake beaker
+BEAKER_debug=yes BEAKER_set="centos-6-x64" PUPPET_INSTALL_TYPE="agent" bundle exec rake beaker &&
+BEAKER_debug=yes BEAKER_set="centos-7-x64" PUPPET_INSTALL_TYPE="agent" bundle exec rake beaker &&
+BEAKER_debug=yes BEAKER_set="fedora-24-x64" PUPPET_INSTALL_TYPE="agent" bundle exec rake beaker &&
 BEAKER_debug=yes BEAKER_set="fedora-25-x64" PUPPET_INSTALL_TYPE="agent" bundle exec rake beaker
 ```
 

diff --git a/files/selinux_build_module_simple.sh b/files/selinux_build_module_simple.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+module_name="$1"
+module_dir="$2"
+
+set -e
+
+cd $module_dir
+test -d tmp || mkdir tmp
+
+checkmodule -M -m -o tmp/${module_name}.mod ${module_name}.te
+package_args="-o ${module_name}.pp -m tmp/${module_name}.mod"
+if [ -s "${module_name}.fc" ]; then
+    package_args="${package_args} --fc ${module_name}.fc"
+fi
+
+semodule_package ${package_args}
diff --git a/lib/facter/selinux_agent_vardir.rb b/lib/facter/selinux_agent_vardir.rb
@@ -0,0 +1,6 @@
+require 'puppet'
+Facter.add(:selinux_agent_vardir) do
+  setcode do
+    Puppet.settings['vardir']
+  end
+end
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -7,30 +7,38 @@
 #
 # It is included in the main class ::selinux
 #
+#
+#
+# Config for module building
+# --------------------------
+#
+# The module building requires the following file structure:
+#
+# ```
+# $module_build_root/
+#   bin/ # for simple module build script
+#   modules/ # module source files and compiled policies
+#   modules/tmp # repolicy tempfiles (created by scripts)
+# ```
+#
 # @param mode See main class
 # @param type See main class
 # @param manage_package See main class
 # @param package_name See main class
-# @param sx_mod_dir See main class
+# @param module_build_root See main class
 #
 class selinux::config (
-  $mode           = $::selinux::mode,
-  $type           = $::selinux::type,
-  $sx_mod_dir     = $::selinux::sx_mod_dir,
-  $manage_package = $::selinux::manage_package,
-  $package_name   = $::selinux::package_name,
+  $mode              = $::selinux::mode,
+  $type              = $::selinux::type,
+  $manage_package    = $::selinux::manage_package,
+  $package_name      = $::selinux::package_name,
+  $module_build_root = $::selinux::module_build_root
 ) {
 
   if $caller_module_name != $module_name {
     fail("Use of private class ${name} by ${caller_module_name}")
   }
 
-  file { $sx_mod_dir:
-    ensure => directory,
-    owner  => 'root',
-    group  => 'root',
-  }
-
   if ($mode == 'enforcing' and !$::selinux) {
     notice('SELinux is disabled. Forcing configuration to permissive to avoid problems. To disable this warning, explicitly set selinux::mode to permissive or disabled.')
     $_real_mode = 'permissive'
@@ -86,4 +94,45 @@
       match => '^SELINUXTYPE=\w+',
     }
   }
+
+  # Module build config:
+  validate_absolute_path($module_build_root)
+
+  file {$module_build_root:
+    ensure => 'directory',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  file {"${module_build_root}/bin":
+    ensure => 'directory',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  # put helper in place:
+  file {"${module_build_root}/bin/selinux_build_module_simple.sh":
+    ensure => 'present',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+    source => "puppet:///modules/${module_name}/selinux_build_module_simple.sh",
+  }
+
+  $module_build_dir = "${module_build_root}/modules"
+
+  file {$module_build_dir:
+    ensure  => 'directory',
+    owner   => 'root',
+    group   => 'root',
+    recurse => true,
+    purge   => true,
+    force   => true,
+  }
+
+  # created by refpolicy builder and our simple builder
+  # ensure it does not get purged
+  file {"${module_build_dir}/tmp": selinux_ignore_defaults => true }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -14,29 +14,33 @@
 # @param type sets the selinux type
 #   Default value: undef
 #   Allowed values: (targeted|minimum|mls|undef)
-# @param sx_mod_dir directory where to store puppet managed selinux modules
-#   Default value: /usr/share/selinux
-#   Allowed values: absolute path
-# @param makefile the path to the systems SELinux makefile
+# @param refpolicy_makefile the path to the system's SELinux makefile for the refpolicy framework
 #   Default value: /usr/share/selinux/devel/Makefile
 #   Allowed value: absolute path
-# @param manage_package manage the package for selinux tools
+# @param manage_package manage the package for selinux tools and refpolicy
 #   Default value: true
 # @param package_name sets the name for the selinux tools package
 #   Default value: OS dependent (see params.pp)
+# @param refpolicy_package_name sets the name for the refpolicy development package, required for the
+# refpolicy module builder
+#   Default value: OS dependent (see params.pp)
+# @param default_builder which builder to use by default with selinux::module
+#   Default value: simple
 # @param boolean Hash of selinux::boolean resource parameters
 # @param fcontext Hash of selinux::fcontext resource parameters
 # @param module Hash of selinux::module resource parameters
 # @param permissive Hash of selinux::module resource parameters
 # @param port Hash of selinux::port resource parameters
 #
 class selinux (
-  $mode           = $::selinux::params::mode,
-  $type           = $::selinux::params::type,
-  $sx_mod_dir     = $::selinux::params::sx_mod_dir,
-  $makefile       = $::selinux::params::makefile,
-  $manage_package = $::selinux::params::manage_package,
-  $package_name   = $::selinux::params::package_name,
+  Optional[Enum['enforcing', 'permissive', 'disabled']] $mode = $::selinux::params::mode,
+  Optional[Enum['targeted', 'minimum', 'mls']] $type          = $::selinux::params::type,
+  String  $refpolicy_makefile                                 = $::selinux::params::refpolicy_makefile,
+  Boolean $manage_package                                     = $::selinux::params::manage_package,
+  String $package_name                                        = $::selinux::params::package_name,
+  String $refpolicy_package_name                              = $::selinux::params::refpolicy_package_name,
+  String $module_build_root                                   = $::selinux::params::module_build_root,
+  Enum['refpolicy', 'simple'] $default_builder                = 'simple',
 
   ### START Hiera Lookups ###
   $boolean        = undef,
@@ -48,23 +52,6 @@
 
 ) inherits selinux::params {
 
-  $mode_real = $mode ? {
-    /\w+/   => $mode,
-    default => 'undef',
-  }
-
-  $type_real = $type ? {
-    /\w+/   => $type,
-    default => 'undef',
-  }
-
-  validate_absolute_path($sx_mod_dir)
-  validate_re($mode_real, ['^enforcing$', '^permissive$', '^disabled$', '^undef$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
-  validate_re($type_real, ['^targeted$', '^minimum$', '^mls$', '^undef$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
-  validate_string($makefile)
-  validate_bool($manage_package)
-  validate_string($package_name)
-
   class { '::selinux::package':
     manage_package => $manage_package,
     package_name   => $package_name,