Switch default behavior to not manage selinux

This changes the default behavior for the module to not modify selinux
settings unless explicitly told to. This is the desired behavior as
described in voxpupuli#64, because otherwise using one of the defined types to
manage just a specific selinux rule, but not manually declaring the
`selinux` class and setting the mode explicitly causes selinux to be
disabled. It is confusing (and undocumented) to use a defined type in a
module called `selinux` to set an selinux rule, and have that result in
selinux getting disabled.

This changes the default behavior, but it will not change the
configuration of a node in the situation where the node had the class
applied already. However, it will change the behavior in the situation
where the `selinux` class was not included on a node, and then was
switched to being included on the node without any parameters
set (included the situation of a node newly added to Puppet).

manifests/config.pp

@@ -25,44 +25,48 @@
     fail("Use of private class ${name} by ${caller_module_name}")
   }
 
-  # Validations
-  validate_re($mode, ['^enforcing$', '^permissive$', '^disabled$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
-  validate_re($type, ['^targeted$', '^minimum$', '^mls$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
-
   file { $selinux::params::sx_mod_dir:
     ensure => directory,
   }
 
-  file_line { "set-selinux-config-to-${mode}":
-    path  => '/etc/selinux/config',
-    line  => "SELINUX=${mode}",
-    match => '^SELINUX=\w+',
-  }
+  if $mode {
+    validate_re($mode, ['^enforcing$', '^permissive$', '^disabled$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
 
-  file_line { "set-selinux-config-type-to-${type}":
-    path  => '/etc/selinux/config',
-    line  => "SELINUXTYPE=${type}",
-    match => '^SELINUXTYPE=\w+',
-  }
+    file_line { "set-selinux-config-to-${mode}":
+      path  => '/etc/selinux/config',
+      line  => "SELINUX=${mode}",
+      match => '^SELINUX=\w+',
+    }
 
-  case $mode {
-    permissive, disabled: {
-      $sestatus = '0'
-      if $mode == 'disabled' and defined('$::selinux_current_mode') and $::selinux_current_mode == 'permissive' {
-        notice('A reboot is required to fully disable SELinux. SELinux will operate in Permissive mode until a reboot')
+    case $mode {
+      permissive, disabled: {
+        $sestatus = '0'
+        if $mode == 'disabled' and defined('$::selinux_current_mode') and $::selinux_current_mode == 'permissive' {
+          notice('A reboot is required to fully disable SELinux. SELinux will operate in Permissive mode until a reboot')
+        }
+      }
+      enforcing: {
+        $sestatus = '1'
+      }
+      default : {
+        fail('You must specify a mode (enforced, permissive, or disabled) for selinux operation')
       }
     }
-    enforcing: {
-      $sestatus = '1'
-    }
-    default : {
-      fail('You must specify a mode (enforced, permissive, or disabled) for selinux operation')
+
+    exec { "change-selinux-status-to-${mode}":
+      command => "setenforce ${sestatus}",
+      unless  => "getenforce | grep -qi \"${mode}\\|disabled\"",
+      path    => '/bin:/usr/bin:/usr/sbin',
     }
   }
 
-  exec { "change-selinux-status-to-${mode}":
-    command => "setenforce ${sestatus}",
-    unless  => "getenforce | grep -qi \"${mode}\\|disabled\"",
-    path    => '/bin:/usr/bin:/usr/sbin',
+  if $type {
+    validate_re($type, ['^targeted$', '^minimum$', '^mls$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
+
+    file_line { "set-selinux-config-type-to-${type}":
+      path  => '/etc/selinux/config',
+      line  => "SELINUXTYPE=${type}",
+      match => '^SELINUXTYPE=\w+',
+    }
   }
 }

manifests/params.pp

@@ -8,8 +8,8 @@
 #
 class selinux::params {
   $sx_mod_dir   = '/usr/share/selinux'
-  $mode         = 'disabled'
-  $type         = 'targeted'
+  $mode         = undef
+  $type         = undef
 
   case $::osfamily {
     'RedHat': {