Merge pull request #41490 from jdsieci/2016.11_selinux

Backport of SELinux module installation and removal

salt/modules/selinux.py

@@ -275,6 +275,40 @@ def setsemod(module, state):
     return not __salt__['cmd.retcode'](cmd)
 
 
+def install_semod(module_path):
+    '''
+    Install custom SELinux module from file
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' selinux.install_semod [salt://]path/to/module.pp
+
+    .. versionadded:: develop
+    '''
+    if module_path.find('salt://') == 0:
+        module_path = __salt__['cp.cache_file'](module_path)
+    cmd = 'semodule -i {0}'.format(module_path)
+    return not __salt__['cmd.retcode'](cmd)
+
+
+def remove_semod(module):
+    '''
+    Remove SELinux module
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' selinux.remove_semod module_name
+
+    .. versionadded:: develop
+    '''
+    cmd = 'semodule -r {0}'.format(module)
+    return not __salt__['cmd.retcode'](cmd)
+
+
 def list_semod():
     '''
     Return a structure listing all of the selinux modules on the system and

salt/states/selinux.py

@@ -178,7 +178,7 @@ def boolean(name, value, persist=False):
     return ret
 
 
-def module(name, module_state='Enabled', version='any'):
+def module(name, module_state='Enabled', version='any', **opts):
     '''
     Enable/Disable and optionally force a specific version for an SELinux module
 
@@ -192,12 +192,32 @@ def module(name, module_state='Enabled', version='any'):
         Defaults to no preference, set to a specified value if required.
         Currently can only alert if the version is incorrect.
 
+    install
+        Setting to True installs module
+
+    source
+        Points to module source file, used only when install is True
+
+    remove
+        Setting to True removes module
+
     .. versionadded:: 2016.3.0
     '''
     ret = {'name': name,
            'result': True,
            'comment': '',
            'changes': {}}
+    if opts.get('install', False) and opts.get('remove', False):
+        ret['result'] = False
+        ret['comment'] = 'Cannot install and remove at the same time'
+        return ret
+    if opts.get('install', False):
+        module_path = opts.get('source', name)
+        ret = module_install(module_path)
+        if not ret['result']:
+            return ret
+    elif opts.get('remove', False):
+        return module_remove(name)
     modules = __salt__['selinux.list_semod']()
     if name not in modules:
         ret['comment'] = 'Module {0} is not available'.format(name)
@@ -233,3 +253,50 @@ def module(name, module_state='Enabled', version='any'):
     ret['result'] = False
     ret['comment'] = 'Failed to set the Module {0} to {1}'.format(name, module_state)
     return ret
+
+
+def module_install(name):
+    '''
+    Installs custom SELinux module from given file
+
+    name
+        Path to file with module to install
+
+    .. versionadded:: develop
+    '''
+    ret = {'name': name,
+           'result': True,
+           'comment': '',
+           'changes': {}}
+    if __salt__['selinux.install_semod'](name):
+        ret['comment'] = 'Module {0} has been installed'.format(name)
+        return ret
+    ret['result'] = False
+    ret['comment'] = 'Failed to install module {0}'.format(name)
+    return ret
+
+
+def module_remove(name):
+    '''
+    Removes SELinux module
+
+    name
+        The name of the module to remove
+
+    .. versionadded:: develop
+    '''
+    ret = {'name': name,
+           'result': True,
+           'comment': '',
+           'changes': {}}
+    modules = __salt__['selinux.list_semod']()
+    if name not in modules:
+        ret['comment'] = 'Module {0} is not available'.format(name)
+        ret['result'] = False
+        return ret
+    if __salt__['selinux.remove_semod'](name):
+        ret['comment'] = 'Module {0} has been removed'.format(name)
+        return ret
+    ret['result'] = False
+    ret['comment'] = 'Failed to remove module {0}'.format(name)
+    return ret