Merge pull request #1099 from blackknight36/selinux_port_fix

(MODULES-9658) - custom ports are not labeled correctly
puppetlabs · Aug 26, 2019 · a21dac9 · a21dac9
2 parents b22bdb2 + bde2932
commit a21dac9
Show file tree

Hide file tree

Showing 7 changed files with 102 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -333,9 +333,9 @@ While this module supports both 1.x and 2.x versions of the 'puppetlabs-apt' mod
 
 PostGIS is currently considered an unsupported feature, as it doesn't work on all platforms correctly.
 
-### All versions of RHEL/CentOS
+### All versions of RHEL/CentOS with manage_selinux => false
 
-If you have SELinux enabled you must add any custom ports you use to the `postgresql_port_t` context.  You can do this as follows:
+If you have SELinux enabled and you are *not* using the selinux module to manage SELinux (this is the default configuration) you will need to label any custom ports you use with the `postgresql_port_t` context.  The postgresql service will not start until this is done.  To label a port use the semanage command as follows:
 
 ```shell
 semanage port -a -t postgresql_port_t -p tcp $customport

diff --git a/manifests/globals.pp b/manifests/globals.pp
@@ -143,6 +143,7 @@
   $manage_pg_hba_conf       = undef,
   $manage_pg_ident_conf     = undef,
   $manage_recovery_conf     = undef,
+  $manage_selinux           = undef,
 
   $manage_package_repo      = undef,
   $module_workdir           = undef,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -21,6 +21,7 @@
   $manage_pg_hba_conf         = pick($manage_pg_hba_conf, true)
   $manage_pg_ident_conf       = pick($manage_pg_ident_conf, true)
   $manage_recovery_conf       = pick($manage_recovery_conf, false)
+  $manage_selinux             = pick($manage_selinux, false)
   $package_ensure             = 'present'
   $module_workdir             = pick($module_workdir,'/tmp')
 

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -131,6 +131,7 @@
   $manage_pg_hba_conf         = $postgresql::params::manage_pg_hba_conf,
   $manage_pg_ident_conf       = $postgresql::params::manage_pg_ident_conf,
   $manage_recovery_conf       = $postgresql::params::manage_recovery_conf,
+  Boolean $manage_selinux     = $postgresql::params::manage_selinux,
   $module_workdir             = $postgresql::params::module_workdir,
 
   $manage_datadir             = $postgresql::params::manage_datadir,

diff --git a/manifests/server/config.pp b/manifests/server/config.pp
@@ -106,9 +106,37 @@
     }
   }
 
+  # ensure that SELinux has a proper label for the port defined
+  if $postgresql::server::manage_selinux == true and $facts['selinux'] == true {
+    case $facts['osfamily'] {
+      'RedHat', 'Linux': {
+        if $facts['operatingsystem'] == 'Amazon' {
+          $package_name = 'policycoreutils'
+        }
+        else {
+          $package_name = $facts['operatingsystemmajrelease'] ? {
+            '5'     => 'policycoreutils',
+            '6'     => 'policycoreutils-python',
+            '7'     => 'policycoreutils-python',
+            default => 'policycoreutils-python-utils',
+          }
+        }
+      }
+    }
+
+    ensure_packages([$package_name])
+
+    exec { "/usr/sbin/semanage port -a -t postgresql_port_t -p tcp ${port}":
+        unless  => "/usr/sbin/semanage port -l | grep -qw ${port}",
+        before  => Postgresql::Server::Config_entry['port'],
+        require => Package[$package_name],
+    }
+  }
+
   postgresql::server::config_entry { 'port':
     value => $port,
   }
+
   postgresql::server::config_entry { 'data_directory':
     value => $datadir,
   }

diff --git a/spec/acceptance/alternative_port_spec.rb b/spec/acceptance/alternative_port_spec.rb
@@ -8,7 +8,7 @@
   end
   it 'on an alternative port' do
     pp = <<-MANIFEST
-      class { 'postgresql::server': port => '55433' }
+      class { 'postgresql::server': port => '55433', manage_selinux => true }
     MANIFEST
 
     idempotent_apply(pp)

diff --git a/spec/unit/classes/server/config_spec.rb b/spec/unit/classes/server/config_spec.rb
@@ -2,7 +2,7 @@
 
 describe 'postgresql::server::config', type: :class do
   let(:pre_condition) do
-    'include postgresql::server'
+    'class { postgresql::server: manage_selinux => true }'
   end
 
   describe 'on RedHat 7' do
@@ -16,9 +16,29 @@
         id: 'root',
         path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
         selinux: true,
+        os: {
+          'architecture' => 'x86_64',
+          'family'       => 'RedHat',
+          'hardware'     => 'x86_64',
+          'name'         => 'CentOS',
+          'release'      => {
+            'full'  => '7.6.1810',
+            'major' => '7',
+            'minor' => '6',
+          },
+        },
       }
     end
 
+    it 'has SELinux port defined' do
+      is_expected.to contain_package('policycoreutils-python-utils') .with(ensure: 'present')
+
+      is_expected.to contain_exec('/usr/sbin/semanage port -a -t postgresql_port_t -p tcp 5432')
+        .with(unless: '/usr/sbin/semanage port -l | grep -qw 5432')
+        .that_comes_before('Postgresql::Server::Config_entry[port]')
+        .that_requires('Package[policycoreutils-python-utils]')
+    end
+
     it 'has the correct systemd-override file' do
       is_expected.to contain_file('systemd-override').with(
         ensure: 'present', path: '/etc/systemd/system/postgresql.service',
@@ -65,9 +85,28 @@ class { 'postgresql::server': }
         id: 'root',
         path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
         selinux: true,
+        os: {
+          'architecture' => 'x86_64',
+          'family'       => 'RedHat',
+          'hardware'     => 'x86_64',
+          'name'         => 'Fedora',
+          'release'      => {
+            'full'  => '21',
+            'major' => '21',
+          },
+        },
       }
     end
 
+    it 'has SELinux port defined' do
+      is_expected.to contain_package('policycoreutils-python-utils') .with(ensure: 'present')
+
+      is_expected.to contain_exec('/usr/sbin/semanage port -a -t postgresql_port_t -p tcp 5432')
+        .with(unless: '/usr/sbin/semanage port -l | grep -qw 5432')
+        .that_comes_before('Postgresql::Server::Config_entry[port]')
+        .that_requires('Package[policycoreutils-python-utils]')
+    end
+
     it 'has the correct systemd-override file' do
       is_expected.to contain_file('systemd-override').with(
         ensure: 'present', path: '/etc/systemd/system/postgresql.service',
@@ -103,6 +142,30 @@ class { 'postgresql::server': }
     end
   end
 
+  describe 'on Amazon' do
+    let :facts do
+      {
+        osfamily: 'RedHat',
+        operatingsystem: 'Amazon',
+        operatingsystemrelease: '1.0',
+        concat_basedir: tmpfilename('server'),
+        kernel: 'Linux',
+        id: 'root',
+        path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        selinux: true,
+      }
+    end
+
+    it 'has SELinux port defined' do
+      is_expected.to contain_package('policycoreutils') .with(ensure: 'present')
+
+      is_expected.to contain_exec('/usr/sbin/semanage port -a -t postgresql_port_t -p tcp 5432')
+        .with(unless: '/usr/sbin/semanage port -l | grep -qw 5432')
+        .that_comes_before('Postgresql::Server::Config_entry[port]')
+        .that_requires('Package[policycoreutils]')
+    end
+  end
+
   describe 'on Gentoo' do
     let(:pre_condition) do
       <<-EOS
@@ -125,6 +188,10 @@ class { 'postgresql::server': }
       }
     end
 
+    it 'does not have SELinux port defined' do
+      is_expected.not_to contain_exec('/usr/sbin/semanage port -a -t postgresql_port_t -p tcp 5432')
+    end
+
     it 'has the correct systemd-override file' do
       is_expected.to contain_file('systemd-override').with(
         ensure: 'present', path: '/etc/systemd/system/postgresql-9.5.service',