.travis.yml

@@ -55,5 +55,21 @@ matrix:
     env: PUPPET_GEM_VERSION="~> 3.6.0" STRICT_VARIABLES="yes"
   - rvm: 2.1.0
     env: PUPPET_GEM_VERSION="~> 3.7.0" STRICT_VARIABLES="yes"
+  - rvm: 1.9.3
+    env: PUPPET_GEM_VERSION="~> 4.0.0"
+  - rvm: 2.0
+    env: PUPPET_GEM_VERSION="~> 4.0.0"
+  - rvm: 2.1
+    env: PUPPET_GEM_VERSION="~> 4.0.0"
+  - rvm: 2.2
+    env: PUPPET_GEM_VERSION="~> 4.0.0"
+  - rvm: 1.9.3
+    env: PUPPET_GEM_VERSION="~> 4.1.0"
+  - rvm: 2.0
+    env: PUPPET_GEM_VERSION="~> 4.1.0"
+  - rvm: 2.1
+    env: PUPPET_GEM_VERSION="~> 4.1.0"
+  - rvm: 2.2
+    env: PUPPET_GEM_VERSION="~> 4.1.0"
 notifications:
   email: false

Gemfile

@@ -2,9 +2,11 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org"
 
 group :unit_tests do
   gem 'rake',                    :require => false
-  gem 'rspec-puppet',            :require => false, :git => 'https://github.com/rodjek/rspec-puppet.git', :tag => 'v2.0.0'
+  # https://github.com/rspec/rspec-core/issues/1864
+  gem 'rspec', '< 3.2.0', {"platforms"=>["ruby_18"]}
+  gem 'rspec-puppet', '~> 2.1',  :require => false
   gem 'puppetlabs_spec_helper',  :require => false
-  gem 'puppet-lint', '1.0.1',    :require => false
+  gem 'puppet-lint', '~> 1.0',    :require => false
   gem 'puppet-syntax',           :require => false
   gem 'metadata-json-lint',      :require => false
   gem 'json',                    :require => false

lib/facter/selinux_custom_policy.rb

@@ -0,0 +1,12 @@
+# As a workaround for Facter bug with EL7:
+# https://tickets.puppetlabs.com/browse/FACT-756
+# 
+
+require 'facter'
+
+Facter.add(:selinux_custom_policy) do
+  confine :kernel => 'Linux', :osfamily => 'RedHat', :operatingsystemmajrelease => '7', :selinux => ['true', true]
+  setcode do
+    Facter::Util::Resolution.exec("sestatus | grep 'Loaded policy name' | awk '{ print \$4 }'")
+  end
+end

manifests/config.pp

@@ -39,7 +39,7 @@
   case $mode {
     permissive, disabled: {
       $sestatus = '0'
-      if $mode == 'disabled' and $::selinux_current_mode == 'permissive' {
+      if $mode == 'disabled' and defined('$::selinux_current_mode') and $::selinux_current_mode == 'permissive' {
         notice('A reboot is required to fully disable SELinux. SELinux will operate in Permissive mode until a reboot')
       }
     }

manifests/module.pp

@@ -35,6 +35,15 @@
 
   include selinux
 
+  if $::selinux_config_policy in ['targeted','strict']
+  {
+    $selinux_policy = $::selinux_config_policy
+  }
+  elsif $::selinux_custom_policy
+  {
+    $selinux_policy = $::selinux_custom_policy
+  }
+
   # Set Resource Defaults
   File {
     owner => 'root',
@@ -51,32 +60,33 @@
 
   exec { "${name}-checkloaded":
     refreshonly => false,
-    creates     => "/etc/selinux/${::selinux_config_policy}/modules/active/modules/${name}.pp",
-    command     => 'true',
+    creates     => "/etc/selinux/${selinux_policy}/modules/active/modules/${name}.pp",
+
+    command     => 'true', # lint:ignore:quoted_booleans
     notify      => Exec["${name}-buildmod"],
   }
 
   ## Begin Configuration
   file { "${::selinux::params::sx_mod_dir}/${name}.te":
     ensure => $ensure,
     source => $source,
-    tag    => 'selinux-module',
+    tag    => "selinux-module-${name}",
   }
   if !$use_makefile {
     file { "${::selinux::params::sx_mod_dir}/${name}.mod":
-      tag   => ['selinux-module-build', 'selinux-module'],
+      tag   => ["selinux-module-build-${name}", "selinux-module-${name}"],
     }
   }
   file { "${::selinux::params::sx_mod_dir}/${name}.pp":
-    tag   => ['selinux-module-build', 'selinux-module'],
+    tag   => ["selinux-module-build-${name}", "selinux-module-${name}"],
   }
 
   # Specific executables based on present or absent.
   case $ensure {
     present: {
       if $use_makefile {
         exec { "${name}-buildmod":
-          command => "true",
+          command => 'true', # lint:ignore:quoted_booleans
         }
         exec { "${name}-buildpp":
           command => "make -f ${makefile} ${name}.pp",
@@ -98,7 +108,7 @@
       ~> Exec["${name}-buildmod"]
       ~> Exec["${name}-buildpp"]
       ~> Exec["${name}-install"]
-      -> File<| tag == 'selinux-module-build' |>
+      -> File<| tag == "selinux-module-build-${name}" |>
     }
     absent: {
       exec { "${name}-remove":
@@ -107,7 +117,7 @@
 
       # Set dependency ordering
       Exec["${name}-remove"]
-      -> File<| tag == 'selinux-module' |>
+      -> File<| tag == "selinux-module-${name}" |>
     }
     default: {
       fail("Invalid status for SELinux Module: ${ensure}")

manifests/params.pp

@@ -12,21 +12,29 @@
 
   case $::osfamily {
     'RedHat': {
-      case $::operatingsystemmajrelease {
-        '7': {
+      case $::operatingsystem {
+        'Fedora': {
           $sx_fs_mount = '/sys/fs/selinux'
           $package_name = 'policycoreutils-python'
         }
-        '6': {
-          $sx_fs_mount = '/selinux'
-          $package_name = 'policycoreutils-python'
-        }
-        '5': {
-          $sx_fs_mount = '/selinux'
-          $package_name = 'policycoreutils'
-        }
         default: {
-          fail("${::osfamily}-${::operatingsystemmajrelease} is not supported")
+          case $::operatingsystemmajrelease {
+            '7': {
+              $sx_fs_mount = '/sys/fs/selinux'
+              $package_name = 'policycoreutils-python'
+            }
+            '6': {
+              $sx_fs_mount = '/selinux'
+              $package_name = 'policycoreutils-python'
+            }
+            '5': {
+              $sx_fs_mount = '/selinux'
+              $package_name = 'policycoreutils'
+            }
+            default: {
+              fail("${::operatingsystem}-${::operatingsystemmajrelease} is not supported")
+            }
+          }
         }
       }
     }

manifests/port.pp

@@ -52,7 +52,7 @@
 
   exec { "add_${context}_${port}":
     command => "semanage port -a -t ${context} ${protocol_switch}${port}",
-    unless  => "semanage port -l|grep \"^${context}.*${protocol}.*${port}\"",
+    unless  => "semanage port -l|grep \"^${context}.*${protocol}.*${port}\"|grep -w ${port}",
     path    => '/bin:/sbin:/usr/bin:/usr/sbin',
     require => Class['selinux::package']
   }

metadata.json

@@ -1,6 +1,6 @@
 {
 "name": "jfryman/selinux",
-"version": "0.2.3",
+"version": "0.2.5",
 "author": "jfryman",
 "summary": "This class manages SELinux on RHEL based systems",
 "license": "Apache-2.0",

spec/classes/selinux_config_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe 'selinux' do
-  let(:facts) { { :osfamily => 'RedHat', :operatingsystemmajrelease => '7', :selinux_current_mode => 'enforcing' } }
+  include_context 'RedHat 7'
 
   context 'config' do
 

spec/classes/selinux_package_spec.rb

@@ -5,19 +5,38 @@
   context 'package' do
 
     context 'on RedHat 5 based OSes' do
-      let(:facts) { { :osfamily => 'RedHat', :operatingsystemmajrelease => '5', :selinux_current_mode => 'enforcing' } }
+      let(:facts) do
+        {
+          :osfamily                  => 'RedHat',
+          :operatingsystem           => 'RedHat',
+          :operatingsystemmajrelease => '5',
+          :selinux_current_mode      => 'enforcing',
+        }
+      end
 
       it { should contain_package('policycoreutils').with(:ensure => 'installed') }
     end
 
     [ '6', '7' ].each do |majrelease|
       context "On RedHat #{majrelease} based OSes" do
-        let(:facts) { { :osfamily => 'RedHat', :operatingsystemmajrelease => majrelease, :selinux_current_mode => 'enforcing' } }
+        let(:facts) do
+          {
+            :osfamily                  => 'RedHat',
+            :operatingsystem           => 'RedHat',
+            :operatingsystemmajrelease => majrelease,
+            :selinux_current_mode      => 'enforcing',
+          }
+        end
 
         it { should contain_package('policycoreutils-python').with(:ensure => 'installed') }
       end
     end
 
+    context "On Fedora 22 based OSes" do
+      include_context 'Fedora 22'
+
+      it { should contain_package('policycoreutils-python').with(:ensure => 'installed') }
+    end
 
   end
 

spec/classes/selinux_restorecond_config_spec.rb

@@ -1,16 +1,7 @@
 require 'spec_helper'
 
 describe 'selinux::restorecond' do
-  let(:facts) { {
-    :osfamily => 'RedHat',
-    :operatingsystemmajrelease => '7',
-    :selinux_current_mode => 'enforcing',
-    # concat facts
-    :concat_basedir => '/tmp',
-    :id => 0,
-    :is_pe => false,
-    :path => '/tmp',
-  } }
+  include_context 'RedHat 7'
 
   it { should contain_concat('/etc/selinux/restorecond.conf') }
   it { should contain_concat__fragment('restorecond_config_default') }

spec/classes/selinux_restorecond_service_spec.rb

@@ -1,16 +1,7 @@
 require 'spec_helper'
 
 describe 'selinux::restorecond' do
-  let(:facts) { {
-    :osfamily => 'RedHat',
-    :operatingsystemmajrelease => '7',
-    :selinux_current_mode => 'enforcing',
-    # concat facts
-    :concat_basedir => '/tmp',
-    :id => 0,
-    :is_pe => false,
-    :path => '/tmp',
-  } }
+  include_context 'RedHat 7'
 
   it { should contain_service('restorecond') }
 

spec/classes/selinux_restorecond_spec.rb

@@ -1,16 +1,7 @@
 require 'spec_helper'
 
 describe 'selinux::restorecond' do
-  let(:facts) { {
-    :osfamily => 'RedHat',
-    :operatingsystemmajrelease => '7',
-    :selinux_current_mode => 'enforcing',
-    # concat facts
-    :concat_basedir => '/tmp',
-    :id => 0,
-    :is_pe => false,
-    :path => '/tmp',
-  } }
+  include_context 'RedHat 7'
 
   it { should contain_class('selinux::restorecond::config') }
   it { should contain_class('selinux::restorecond::service') }

spec/classes/selinux_spec.rb

@@ -1,9 +1,16 @@
 require 'spec_helper'
 
 describe 'selinux' do
-  let(:facts) { { :osfamily => 'RedHat', :operatingsystemmajrelease => '7', :selinux_current_mode => 'enforcing' } }
-
-  it { should contain_class('selinux::package') }
-  it { should contain_class('selinux::config') }
+  [
+    'RedHat 7',
+    'CentOS 7',
+    'Fedora 22',
+  ].each do |ctx|
+    context ctx do
+      include_context ctx
 
+      it { should contain_class('selinux::package') }
+      it { should contain_class('selinux::config') }
+    end
+  end
 end

spec/defines/selinux_boolean_spec.rb

@@ -2,11 +2,7 @@
 
 describe 'selinux::boolean' do
   let(:title) { 'mybool' }
-  let(:facts) { {
-    :osfamily => 'RedHat',
-    :operatingsystemmajrelease => '7',
-    :selinux_current_mode => 'enforcing',
-  } }
+  include_context 'RedHat 7'
 
   context 'default' do
     it { should contain_exec("setsebool -P 'mybool' true")}

spec/defines/selinux_fcontext_spec.rb

@@ -2,11 +2,7 @@
 
 describe 'selinux::fcontext' do
   let(:title) { 'myfile' }
-  let(:facts) { {
-    :osfamily => 'RedHat',
-    :operatingsystemmajrelease => '7',
-    :selinux_current_mode => 'enforcing',
-  } }
+  include_context 'RedHat 7'
 
   context 'invalid pathname' do
     it { expect { is_expected.to compile }.to raise_error }

spec/defines/selinux_port_spec.rb

@@ -2,11 +2,7 @@
 
 describe 'selinux::port' do
   let(:title) { 'myapp' }
-  let(:facts) { {
-    :osfamily => 'RedHat',
-    :operatingsystemmajrelease => '7',
-    :selinux_current_mode => 'enforcing',
-  } }
+  include_context 'RedHat 7'
 
   ['tcp', 'udp', 'tcp6', 'udp6'].each do |protocol|
     context "valid protocol #{protocol}" do

spec/defines/selinux_restorecond_fragment_spec.rb

@@ -3,16 +3,7 @@
 describe 'selinux::restorecond::fragment' do
   let(:pre_condition) { 'class { "selinux::restorecond": }' }
   let(:title) { 'cond' }
-  let(:facts) { {
-    :osfamily => 'RedHat',
-    :operatingsystemmajrelease => '7',
-    :selinux_current_mode => 'enforcing',
-    # concat facts
-    :concat_basedir => '/tmp',
-    :id => 0,
-    :is_pe => false,
-    :path => '/tmp',
-  } }
+  include_context 'RedHat 7'
 
   context 'source' do
     let(:params) { { :source => 'puppet:///data/cond.txt' } }