BREAKING: Refactor selinux::module

README.md

@@ -37,6 +37,15 @@ running system.
 * Mailinglist: <[email protected]> 
   ([groups.io Webinterface](https://groups.io/g/voxpupuli/topics))
 
+## Upgrading from puppet-selinux 0.8.x
+
+* Previously, module building always used the refpolicy framework. The default
+  module builder is now 'simple', which uses only checkmodule. Not all features are
+  supported with this builder.
+
+  To build modules using the refpolicy framework like previous versions did,
+  specify the  'refpolicy' builder either explicitly per module or globally
+  via the main class
 
 ## Known problems / limitations
 
@@ -51,8 +60,6 @@ running system.
   does) the order is important. If you add /my/folder before /my/folder/subfolder
   only /my/folder will match (limitation of SELinux). There is no such limitation
   to file-contexts defined in SELinux modules. (GH-121)
-* `selinux::module` only allows to add a type enforcment file (`*.te`) but no
-  interfaces (`*.if`) or file-contexts (`*.fc`).
 * While SELinux is disabled the defined types `selinux::boolean`, 
   `selinux::fcontext`, `selinux::port` will produce puppet agent runtime errors 
   because the used tools fail.
@@ -97,12 +104,15 @@ are `target`, `minimum`, and `mls`). Note that disabling SELinux requires a rebo
 to fully take effect. It will run in `permissive` mode until then.
 
 
-### Deploy a custom module
+### Deploy a custom module using the refpolicy framework
 
 ```puppet
 selinux::module { 'resnet-puppet':
-  ensure => 'present',
-  source => 'puppet:///modules/site_puppet/site-puppet.te',
+  ensure    => 'present',
+  source_te => 'puppet:///modules/site_puppet/site-puppet.te',
+  source_fc => 'puppet:///modules/site_puppet/site-puppet.fc',
+  source_if => 'puppet:///modules/site_puppet/site-puppet.if',
+  builder   => 'refpolicy'
 }
 ```
 

files/selinux_build_module.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+module_name="$1"
+set -e
+checkmodule -M -m -o ${module_name}.mod ${module_name}.te
+package_args="-o ${module_name}.pp -m ${module_name}.mod"
+if [ -f "${module_name}.fc" ]; then
+    package_args="${package_args} --fc ${module_name}.fc"
+fi
+
+semodule_package ${package_args}

lib/facter/selinux_agent_vardir.rb

@@ -0,0 +1,6 @@
+require 'puppet'
+Facter.add(:selinux_agent_vardir) do
+  setcode do
+    Puppet.settings['vardir']
+  end
+end

manifests/config.pp

@@ -11,26 +11,20 @@
 # @param type See main class
 # @param manage_package See main class
 # @param package_name See main class
-# @param sx_mod_dir See main class
+# @param module_build_root See main class
 #
 class selinux::config (
-  $mode           = $::selinux::mode,
-  $type           = $::selinux::type,
-  $sx_mod_dir     = $::selinux::sx_mod_dir,
-  $manage_package = $::selinux::manage_package,
-  $package_name   = $::selinux::package_name,
+  $mode              = $::selinux::mode,
+  $type              = $::selinux::type,
+  $manage_package    = $::selinux::manage_package,
+  $package_name      = $::selinux::package_name,
+  $module_build_root = $::selinux::module_build_root
 ) {
 
   if $caller_module_name != $module_name {
     fail("Use of private class ${name} by ${caller_module_name}")
   }
 
-  file { $sx_mod_dir:
-    ensure => directory,
-    owner  => 'root',
-    group  => 'root',
-  }
-
   if ($mode == 'enforcing' and !$::selinux) {
     notice('SELinux is disabled. Forcing configuration to permissive to avoid problems. To disable this warning, explicitly set selinux::mode to permissive or disabled.')
     $_real_mode = 'permissive'
@@ -86,4 +80,34 @@
       match => '^SELINUXTYPE=\w+',
     }
   }
+
+  # Module build config:
+  validate_absolute_path($module_build_root)
+
+  file {$module_build_root:
+    ensure => 'directory',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+  }
+
+  # put helper in place:
+  file {"${module_build_root}/modules/selinux_build_module.sh":
+    ensure => 'present',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+    source => "puppet:///modules/${module_name}/selinux_build_module.sh",
+  }
+
+  $module_build_dir = "${module_build_root}/modules"
+
+  file {$module_build_dir:
+    ensure  => 'directory',
+    owner   => 'root',
+    group   => 'root',
+    recurse => true,
+    purge   => true,
+    force   => true,
+  }
 }

manifests/init.pp

@@ -14,29 +14,33 @@
 # @param type sets the selinux type
 #   Default value: undef
 #   Allowed values: (targeted|minimum|mls|undef)
-# @param sx_mod_dir directory where to store puppet managed selinux modules
-#   Default value: /usr/share/selinux
-#   Allowed values: absolute path
-# @param makefile the path to the systems SELinux makefile
+# @param makefile the path to the system's SELinux makefile
 #   Default value: /usr/share/selinux/devel/Makefile
 #   Allowed value: absolute path
-# @param manage_package manage the package for selinux tools
+# @param manage_package manage the package for selinux tools and refpolicy
 #   Default value: true
 # @param package_name sets the name for the selinux tools package
 #   Default value: OS dependent (see params.pp)
+# @param refpolicy_package_name sets the name for the refpolicy development package, required for the
+# refpolicy module builder
+#   Default value: OS dependent (see params.pp)
+# @param default_builder which builder to use by default with selinux::module
+#   Default value: refpolicy
 # @param boolean Hash of selinux::boolean resource parameters
 # @param fcontext Hash of selinux::fcontext resource parameters
 # @param module Hash of selinux::module resource parameters
 # @param permissive Hash of selinux::module resource parameters
 # @param port Hash of selinux::port resource parameters
 #
 class selinux (
-  $mode           = $::selinux::params::mode,
-  $type           = $::selinux::params::type,
-  $sx_mod_dir     = $::selinux::params::sx_mod_dir,
-  $makefile       = $::selinux::params::makefile,
-  $manage_package = $::selinux::params::manage_package,
-  $package_name   = $::selinux::params::package_name,
+  $mode                   = $::selinux::params::mode,
+  $type                   = $::selinux::params::type,
+  $makefile               = $::selinux::params::refpolicy_makefile,
+  $manage_package         = $::selinux::params::manage_package,
+  $package_name           = $::selinux::params::package_name,
+  $refpolicy_package_name = $::selinux::params::refpolicy_package_name,
+  $module_build_root      = $::selinux::params::module_build_root,
+  $default_builder        = 'simple',
 
   ### START Hiera Lookups ###
   $boolean        = undef,
@@ -58,7 +62,6 @@
     default => 'undef',
   }
 
-  validate_absolute_path($sx_mod_dir)
   validate_re($mode_real, ['^enforcing$', '^permissive$', '^disabled$', '^undef$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
   validate_re($type_real, ['^targeted$', '^minimum$', '^mls$', '^undef$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
   validate_string($makefile)

manifests/module.pp

@@ -9,75 +9,114 @@
 # 
 # @example compile and load the apache module
 #   selinux::module{ 'apache':
-#     ensure => 'present',
-#     source => 'puppet:///modules/selinux/apache.te',
+#     ensure    => 'present',
+#     source_te => 'puppet:///modules/selinux/apache.te',
+#     builder   => 'simple'
 #   }
 #
 # @param ensure present or absent
-# @param sx_mod_dir path where source is stored and the module built. 
-#   Valid values: absolute path
-# @param source the source file (either a puppet URI or local file) of the SELinux .te file
-# @param content content of the source .te file
-# @param makefile absolute path to the selinux-devel Makefile
-# @param prefix (DEPRECATED) the prefix to add to the loaded module. Defaults to ''.
-#   Does not work with CentOS >= 7.2 and Fedora >= 24 SELinux tools.
+# @param source_te the source file (either a puppet URI or local file) of the SELinux .te file
+# @param source_fc the source file (either a puppet URI or local file) of the SELinux .fc file
+# @param source_if the source file (either a puppet URI or local file) of the SELinux .if file
+# @param builder either 'simple' or 'refpolicy'. The simple builder attempts to use checkmodule
+# to build the module, whereas 'refpolicy' uses the refpolicy framework, but requires 'make'
 # @param syncversion selmodule syncversion param
 define selinux::module(
-  $source       = undef,
-  $content      = undef,
-  $ensure       = 'present',
-  $makefile     = '/usr/share/selinux/devel/Makefile',
-  $prefix       = '',
-  $sx_mod_dir   = '/usr/share/selinux',
+  Optional[String] $source_te = undef,
+  Optional[String] $source_fc = undef,
+  Optional[String] $source_if = undef,
+  Enum['absent', 'present'] $ensure = 'present',
+  Optional[Enum['simple', 'refpolicy']] $builder = undef,
   $syncversion  = undef,
 ) {
 
+  if $builder == 'refpolicy' {
+    require ::selinux::refpolicy_package
+  }
+
   include ::selinux
 
+  if ($builder == 'simple' and $source_if != undef) {
+    fail("The simple builder does not support the 'source_if' parameter")
+  }
+
+  # let's just make doubly sure that this is an absolute path:
+  validate_absolute_path($::selinux::config::module_build_dir)
+
+  $module_dir = "${::selinux::config::module_build_dir}/${title}"
+  $module_file = "${module_dir}/${title}"
+
+  $build_command = pick($builder, $::selinux::default_builder, 'none') ? {
+      'simple'    => shellquote("${::selinux::config::module_build_dir}/selinux_build_module.sh", $title),
+      'refpolicy' => shellquote('make', '-f', '/usr/share/selinux/devel/Makefile', "${title}.pp"),
+      'none'      => fail('No builder or default builder specified')
+  }
+
   Anchor['selinux::module pre'] ->
   Selinux::Module[$title] ->
   Anchor['selinux::module post']
+  $has_source = (pick($source_te, $source_fc, $source_if, false) != false)
 
-  validate_re($ensure, [ '^present$', '^absent$' ], '$ensure must be "present" or "absent"')
-  if $ensure == 'present' and $source == undef and $content == undef {
-    fail("You must provide 'source' or 'content' field for selinux module")
-  }
-  if $source != undef {
-    validate_string($source)
-  }
-  if $content != undef {
-    validate_string($content)
-  }
-  validate_string($prefix)
-  validate_absolute_path($sx_mod_dir)
-  validate_absolute_path($makefile)
-  if $syncversion != undef {
-    validate_bool($syncversion)
-  }
+  if $has_source and $ensure == 'present' {
+    file {$module_dir:
+      ensure  => directory,
+    }
+
+    if $source_te {
+      file {"${module_file}.te":
+        ensure => 'file',
+        source => $source_te,
+        notify => Exec["clean-module-${title}"],
+      }
+    }
+    if $source_fc {
+      file {"${module_file}.fc":
+        ensure => 'file',
+        source => $source_fc,
+        notify => Exec["clean-module-${title}"],
+      }
+    }
+    if $source_if {
+      file {"${module_file}.if":
+        ensure => 'file',
+        source => $source_if,
+        notify => Exec["clean-module-${title}"],
+      }
+    }
+    exec { "clean-module-${title}":
+      path        => '/bin:/usr/bin',
+      cwd         => $module_dir,
+      command     => "rm -f '${title}.pp' loaded",
+      refreshonly => true,
+      notify      => Exec["build-module-${title}"],
+    }
 
-  ## Begin Configuration
-  file { "${sx_mod_dir}/${prefix}${name}.te":
-    ensure  => $ensure,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    source  => $source,
-    content => $content,
+    exec { "build-module-${title}":
+      path    => '/bin:/usr/bin',
+      cwd     => $module_dir,
+      command => "${build_command} || (rm -f ${title}.pp loaded && exit 1)",
+      creates => "${module_file}.pp",
+      notify  => Exec["install-module-${title}"],
+    }
+    # we need to install the module manually because selmodule is kind of dumb. It ends up
+    # working fine, though.
+    exec { "install-module-${title}":
+      path    => '/sbin:/usr/sbin:/bin:/usr/bin',
+      cwd     => $module_dir,
+      command => "semodule -i ${title}.pp && touch loaded",
+      creates => "${module_dir}/loaded",
+      before  => Selmodule[$title],
+    }
   }
-  ~>
-  exec { "${sx_mod_dir}/${prefix}${name}.pp":
-  # Only allow refresh in the event that the initial .te file is updated.
-    command     => shellquote('make', '-f', $makefile, "${prefix}${name}.pp"),
-    path        => '/bin:/sbin:/usr/bin:/usr/sbin',
-    refreshonly => true,
-    cwd         => $sx_mod_dir,
+  $module_path = $has_source ? {
+    true  => "${module_file}.pp",
+    false => undef
   }
-  ->
-  selmodule { $name:
+
+  selmodule { $title:
     # Load the module if it has changed or was not loaded
     # Warning: change the .te version!
     ensure        => $ensure,
-    selmodulepath => "${sx_mod_dir}/${prefix}${name}.pp",
-    syncversion   => $syncversion,
+    selmodulepath => $module_path,
   }
 }

manifests/params.pp

@@ -6,12 +6,16 @@
 # This class provides default parameters for the selinux class
 #
 class selinux::params {
-  $makefile       = '/usr/share/selinux/devel/Makefile'
-  $sx_mod_dir     = '/usr/share/selinux'
+  $refpolicy_makefile = '/usr/share/selinux/devel/Makefile'
   $mode           = undef
   $type           = undef
   $manage_package = true
 
+  $refpolicy_package_name = 'selinux-policy-devel'
+
+  validate_absolute_path($::selinux_agent_vardir)
+  $module_build_root = "${::selinux_agent_vardir}/puppet-selinux"
+
   if $::operatingsystemmajrelease {
     $os_maj_release = $::operatingsystemmajrelease
   } else {
@@ -32,7 +36,7 @@
               $package_name = 'policycoreutils-devel'
             }
             '24', '25' : {
-              $package_name = 'selinux-policy-devel'
+              $package_name = 'policycoreutils-python-utils'
             }
             default: {
               fail("${::operatingsystem}-${::os_maj_release} is not supported")
@@ -43,7 +47,7 @@
           case $os_maj_release {
             '7': {
               $sx_fs_mount = '/sys/fs/selinux'
-              $package_name = 'selinux-policy-devel'
+              $package_name = 'policycoreutils-python'
             }
             '6': {
               $sx_fs_mount = '/selinux'