From c29a9dd8df97e6dd6e2beba79d95d62034f6ccb1 Mon Sep 17 00:00:00 2001 From: K Jonathan Harker Date: Wed, 28 May 2014 17:39:59 -0700 Subject: [PATCH] Only include selinux bits on rhel-based systems The gate-config-puppet-apply test will try to run everything on a bare-precise node, so even though this doesn't occur in production it is being tested. Change-Id: I13b03a7476e30cbb26dc820bb4cf5b56c4018669 --- modules/cgit/manifests/init.pp | 63 +++++-------------- modules/cgit/manifests/selinux.pp | 55 ++++++++++++++++ modules/openstack_project/manifests/git.pp | 6 +- .../manifests/git_backend.pp | 6 +- modules/openstack_project/manifests/pbx.pp | 6 +- 5 files changed, 82 insertions(+), 54 deletions(-) create mode 100644 modules/cgit/manifests/selinux.pp diff --git a/modules/cgit/manifests/init.pp b/modules/cgit/manifests/init.pp index 333f5e73e2..dbef285ed1 100644 --- a/modules/cgit/manifests/init.pp +++ b/modules/cgit/manifests/init.pp @@ -29,8 +29,23 @@ class cgit( $behind_proxy = false, ) { + if $behind_proxy == true { + $http_port = 8080 + $https_port = 4443 + $daemon_port = 29418 + } + else { + $http_port = 80 + $https_port = 443 + $daemon_port = 9418 + } + include apache + if ($::osfamily == 'RedHat') { + include cgit::selinux + } + package { [ 'cgit', 'git-daemon', @@ -68,54 +83,6 @@ class cgit( require => User['cgit'], } - exec { 'restorecon -R -v /var/lib/git': - path => '/sbin', - require => File['/var/lib/git'], - subscribe => File['/var/lib/git'], - refreshonly => true, - } - - selboolean { 'httpd_enable_cgi': - persistent => true, - value => on - } - - package { 'policycoreutils-python': - ensure => present, - } - - if $behind_proxy == true { - $http_port = 8080 - $https_port = 4443 - $daemon_port = 29418 - } - else { - $http_port = 80 - $https_port = 443 - $daemon_port = 9418 - } - - exec { 'cgit_allow_http_port': - # If we cannot add the rule modify the existing rule. - onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${http_port}\'", - command => "semanage port -m -t http_port_t -p tcp ${http_port}", - path => '/bin:/usr/sbin', - before => Service['httpd'], - require => Package['policycoreutils-python'], - subscribe => File['/etc/httpd/conf/httpd.conf'], - refreshonly => true, - } - - exec { 'cgit_allow_https_port': - # If we cannot add the rule modify the existing rule. - onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${https_port}\'", - command => "semanage port -m -t http_port_t -p tcp ${https_port}", - path => '/bin:/usr/sbin', - require => Package['policycoreutils-python'], - subscribe => File['/etc/httpd/conf.d/ssl.conf'], - refreshonly => true, - } - apache::vhost { $vhost_name: port => $https_port, serveraliases => $serveraliases, diff --git a/modules/cgit/manifests/selinux.pp b/modules/cgit/manifests/selinux.pp new file mode 100644 index 0000000000..35eefca720 --- /dev/null +++ b/modules/cgit/manifests/selinux.pp @@ -0,0 +1,55 @@ +# Copyright 2014 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Class: cgit::selinux +# +class cgit::selinux { + exec { 'restorecon -R -v /var/lib/git': + path => '/sbin', + require => File['/var/lib/git'], + subscribe => File['/var/lib/git'], + refreshonly => true, + } + + selboolean { 'httpd_enable_cgi': + persistent => true, + value => on + } + + package { 'policycoreutils-python': + ensure => present, + } + + exec { 'cgit_allow_http_port': + # If we cannot add the rule modify the existing rule. + onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${::cgit::http_port}\'", + command => "semanage port -m -t http_port_t -p tcp ${::cgit::http_port}", + path => '/bin:/usr/sbin', + before => Service['httpd'], + require => Package['policycoreutils-python'], + subscribe => File['/etc/httpd/conf/httpd.conf'], + refreshonly => true, + } + + exec { 'cgit_allow_https_port': + # If we cannot add the rule modify the existing rule. + onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${::cgit::https_port}\'", + command => "semanage port -m -t http_port_t -p tcp ${::cgit::https_port}", + path => '/bin:/usr/sbin', + require => Package['policycoreutils-python'], + subscribe => File['/etc/httpd/conf.d/ssl.conf'], + refreshonly => true, + } +} + diff --git a/modules/openstack_project/manifests/git.pp b/modules/openstack_project/manifests/git.pp index 9356df3710..362b528502 100644 --- a/modules/openstack_project/manifests/git.pp +++ b/modules/openstack_project/manifests/git.pp @@ -25,8 +25,10 @@ class openstack_project::git ( sysadmins => $sysadmins, } - class { 'selinux': - mode => 'enforcing' + if ($::osfamily == 'RedHat') { + class { 'selinux': + mode => 'enforcing' + } } package { 'socat': diff --git a/modules/openstack_project/manifests/git_backend.pp b/modules/openstack_project/manifests/git_backend.pp index cb0ca26758..2540531645 100644 --- a/modules/openstack_project/manifests/git_backend.pp +++ b/modules/openstack_project/manifests/git_backend.pp @@ -101,8 +101,10 @@ class openstack_project::git_backend ( refreshonly => true, } - class { 'selinux': - mode => 'enforcing' + if ($::osfamily == 'RedHat') { + class { 'selinux': + mode => 'enforcing' + } } cron { 'mirror_repack': diff --git a/modules/openstack_project/manifests/pbx.pp b/modules/openstack_project/manifests/pbx.pp index 94e000cd9b..4de500d10d 100644 --- a/modules/openstack_project/manifests/pbx.pp +++ b/modules/openstack_project/manifests/pbx.pp @@ -29,8 +29,10 @@ class openstack_project::pbx ( iptables_rules6 => ['-m udp -p udp --dport 10000:20000 -j ACCEPT'], } - class { 'selinux': - mode => 'enforcing', + if ($::osfamily == 'RedHat') { + class { 'selinux': + mode => 'enforcing' + } } realize (