CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## 2016-12-28 Release 0.7.1
+
+- selinux::module syncversion parameter now defaults to undef
+  to workaround puppet selmodule syncversion bug on CentOS >= 7.3 ([PR #158](https://github.com/voxpupuli/puppet-selinux/pull/158))
+- Bugfix for wrong named fact used in selinux::config ([PR #159](https://github.com/voxpupuli/puppet-selinux/pull/159))
+
 ## 2016-12-14 Release 0.7.0
 
 - Remove custom fact selinux_custom_policy (not used anymore)

README.md

@@ -23,9 +23,7 @@ This class manages SELinux on RHEL based systems.
 
 ## Requirements
 
-* Puppet-3.x or later
-* Facter 1.7.0 or later
-* Ruby-1.9.3 or later (Ruby-1.8.7 is **not** supported).
+* Puppet 3.8.7 or later
 
 ## Module Description
 

manifests/config.pp

@@ -62,7 +62,7 @@
     # a complete relabeling is required when switching from disabled to
     # permissive or enforcing. Ensure the autorelabel trigger file is created.
     if $mode in ['enforcing','permissive'] and
-      !$::selinux_enabled {
+      !$::selinux {
       file { '/.autorelabel':
         ensure  => 'file',
         owner   => 'root',

manifests/module.pp

@@ -1,40 +1,35 @@
-# Definition: selinux::module
+# Defined type: selinux::module
 #
-# Description
-#  This class will either install or uninstall a SELinux module from a running system.
-#  This module allows an admin to keep .te files in text form in a repository, while
-#  allowing the system to compile and manage SELinux modules.
+# This class will either install or uninstall a SELinux module from a running system.
+# This module allows an admin to keep .te files in text form in a repository, while
+# allowing the system to compile and manage SELinux modules.
 #
-#  Concepts incorporated from:
-#  http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/
-#
-# Parameters:
-#   - $ensure: (present|absent) - sets the state for a module
-#   - $sx_mod_dir (absolute_path) - sets the module directory.
-#   - $source: the source file (either a puppet URI or local file) of the SELinux .te module
-#   - $makefile: the makefile file path
-#   - $prefix: the prefix to add to the loaded module. Defaults to ''.
-#
-# Actions:
-#  Compiles a module using make and installs it
-#
-# Requires:
-#  - SELinux
-#
-# Sample Usage:
-#  selinux::module{ 'apache':
-#    ensure => 'present',
-#    source => 'puppet:///modules/selinux/apache.te',
-#  }
+# Concepts incorporated from:
+# http://stuckinadoloop.wordpress.com/2011/06/15/puppet-managed-deployment-of-selinux-modules/
+# 
+# @example compile and load the apache module
+#   selinux::module{ 'apache':
+#     ensure => 'present',
+#     source => 'puppet:///modules/selinux/apache.te',
+#   }
 #
+# @param ensure present or absent
+# @param sx_mod_dir path where source is stored and the module built. 
+#   Valid values: absolute path
+# @param source the source file (either a puppet URI or local file) of the SELinux .te file
+# @param content content of the source .te file
+# @param makefile absolute path to the selinux-devel Makefile
+# @param prefix (DEPRECATED) the prefix to add to the loaded module. Defaults to ''.
+#   Does not work with CentOS >= 7.2 and Fedora >= 24 SELinux tools.
+# @param syncversion selmodule syncversion param
 define selinux::module(
   $source       = undef,
   $content      = undef,
   $ensure       = 'present',
   $makefile     = '/usr/share/selinux/devel/Makefile',
   $prefix       = '',
   $sx_mod_dir   = '/usr/share/selinux',
-  $syncversion  = true,
+  $syncversion  = undef,
 ) {
 
   include ::selinux
@@ -52,7 +47,9 @@
   validate_string($prefix)
   validate_absolute_path($sx_mod_dir)
   validate_absolute_path($makefile)
-  validate_bool($syncversion)
+  if $syncversion != undef {
+    validate_bool($syncversion)
+  }
 
   ## Begin Configuration
   file { "${sx_mod_dir}/${prefix}${name}.te":

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppet-selinux",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "author": "Vox Pupuli",
   "summary": "This class manages SELinux on RHEL based systems",
   "license": "Apache-2.0",

spec/classes/selinux_config_mode_spec.rb

@@ -4,7 +4,12 @@
   on_supported_os.each do |os, facts|
     context "on #{os}" do
       let(:facts) do
-        facts
+        facts.merge(
+          selinux: true,
+          selinux_config_mode: 'enforcing',
+          selinux_config_policy: 'targeted',
+          selinux_current_mode: 'enforcing'
+        )
       end
 
       context 'config' do
@@ -54,15 +59,27 @@
 
         context 'disabled to permissive creates autorelabel trigger file' do
           let(:facts) do
-            facts.merge(selinux_enabled: false)
+            hash = facts.merge(
+              selinux: false
+            )
+            hash.delete(:selinux_config_mode)
+            hash.delete(:selinux_current_mode)
+            hash.delete(:selinux_config_policy)
+            hash
           end
           let(:params) { { mode: 'permissive' } }
           it { is_expected.to contain_file('/.autorelabel').with(ensure: 'file') }
         end
 
         context 'disabled to enforcing creates autorelabel trigger file' do
           let(:facts) do
-            facts.merge(selinux_enabled: false)
+            hash = facts.merge(
+              selinux: false
+            )
+            hash.delete(:selinux_config_mode)
+            hash.delete(:selinux_current_mode)
+            hash.delete(:selinux_config_policy)
+            hash
           end
           let(:params) { { mode: 'enforcing' } }
           it { is_expected.to contain_file('/.autorelabel').with(ensure: 'file') }

spec/default_module_facts.yml

@@ -2,10 +2,6 @@
 osfamily: RedHat
 operatingsystem: RedHat
 operatingsystemmajrelease: '7'
-selinux_config_mode: enforcing
-selinux_current_mode: enforcing
-selinux_enabled: true
-selinux_config_policy: targeted
 # concat facts
 id: 0
 path: /tmp