From e2fbada1c1d3f121e4190d2cbe2d7eabf23afa5e Mon Sep 17 00:00:00 2001 From: Jerzy Drozdz Date: Sun, 26 Mar 2017 11:25:45 +0200 Subject: [PATCH] Backport of SELinux module installation and removal --- salt/modules/selinux.py | 34 ++++++++++++++++++++ salt/states/selinux.py | 69 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 102 insertions(+), 1 deletion(-) diff --git a/salt/modules/selinux.py b/salt/modules/selinux.py index dd809682cb..0c36e0ed29 100644 --- a/salt/modules/selinux.py +++ b/salt/modules/selinux.py @@ -275,6 +275,40 @@ def setsemod(module, state): return not __salt__['cmd.retcode'](cmd) +def install_semod(module_path): + ''' + Install custom SELinux module from file + + CLI Example: + + .. code-block:: bash + + salt '*' selinux.install_semod [salt://]path/to/module.pp + + .. versionadded:: develop + ''' + if module_path.find('salt://') == 0: + module_path = __salt__['cp.cache_file'](module_path) + cmd = 'semodule -i {0}'.format(module_path) + return not __salt__['cmd.retcode'](cmd) + + +def remove_semod(module): + ''' + Remove SELinux module + + CLI Example: + + .. code-block:: bash + + salt '*' selinux.remove_semod module_name + + .. versionadded:: develop + ''' + cmd = 'semodule -r {0}'.format(module) + return not __salt__['cmd.retcode'](cmd) + + def list_semod(): ''' Return a structure listing all of the selinux modules on the system and diff --git a/salt/states/selinux.py b/salt/states/selinux.py index 7b1823a013..135eaff709 100644 --- a/salt/states/selinux.py +++ b/salt/states/selinux.py @@ -178,7 +178,7 @@ def boolean(name, value, persist=False): return ret -def module(name, module_state='Enabled', version='any'): +def module(name, module_state='Enabled', version='any', **opts): ''' Enable/Disable and optionally force a specific version for an SELinux module @@ -192,12 +192,32 @@ def module(name, module_state='Enabled', version='any'): Defaults to no preference, set to a specified value if required. Currently can only alert if the version is incorrect. + install + Setting to True installs module + + source + Points to module source file, used only when install is True + + remove + Setting to True removes module + .. versionadded:: 2016.3.0 ''' ret = {'name': name, 'result': True, 'comment': '', 'changes': {}} + if opts.get('install', False) and opts.get('remove', False): + ret['result'] = False + ret['comment'] = 'Cannot install and remove at the same time' + return ret + if opts.get('install', False): + module_path = opts.get('source', name) + ret = module_install(module_path) + if not ret['result']: + return ret + elif opts.get('remove', False): + return module_remove(name) modules = __salt__['selinux.list_semod']() if name not in modules: ret['comment'] = 'Module {0} is not available'.format(name) @@ -233,3 +253,50 @@ def module(name, module_state='Enabled', version='any'): ret['result'] = False ret['comment'] = 'Failed to set the Module {0} to {1}'.format(name, module_state) return ret + + +def module_install(name): + ''' + Installs custom SELinux module from given file + + name + Path to file with module to install + + .. versionadded:: develop + ''' + ret = {'name': name, + 'result': True, + 'comment': '', + 'changes': {}} + if __salt__['selinux.install_semod'](name): + ret['comment'] = 'Module {0} has been installed'.format(name) + return ret + ret['result'] = False + ret['comment'] = 'Failed to install module {0}'.format(name) + return ret + + +def module_remove(name): + ''' + Removes SELinux module + + name + The name of the module to remove + + .. versionadded:: develop + ''' + ret = {'name': name, + 'result': True, + 'comment': '', + 'changes': {}} + modules = __salt__['selinux.list_semod']() + if name not in modules: + ret['comment'] = 'Module {0} is not available'.format(name) + ret['result'] = False + return ret + if __salt__['selinux.remove_semod'](name): + ret['comment'] = 'Module {0} has been removed'.format(name) + return ret + ret['result'] = False + ret['comment'] = 'Failed to remove module {0}'.format(name) + return ret