voxpupuli · jfryman · Nov 4, 2015 · Nov 4, 2015 · Nov 4, 2015 · Nov 4, 2015
diff --git a/README.markdown b/README.markdown
@@ -26,24 +26,30 @@ Requires puppetlabs/stdlib
 Parameters:
 
  * `$mode` (enforced|permissive|disabled) - sets the operating state for SELinux.
+ * `$type` (targeted|minimum|mls) - sets the enforcement type.
 
 ## Reference
 
-Basic usage:
+### Basic usage
 
 ```puppet
 include selinux
 ```
 
-More advanced usage:
+This will include the module and allow you to use the provided defined types, but will not modify existing SELinux settings on the system.
+
+### More advanced usage
 
 ```puppet
 class { selinux:
-  mode => 'enforcing'
+  mode => 'enforcing',
+  type => 'targeted',
 }
 ```
 
-Deploy a custom module:
+This will include the module and manage the SELinux mode (possible values are `enforcing`, `permissive`, and `disabled`) and enforcement type (possible values are `target`, `minimum`, and `mls`). Note that disabling SELinux requires a reboot to fully take effect. It will run in `permissive` mode until then.
+
+### Deploy a custom module
 
 ```puppet
 selinux::module { 'resnet-puppet':
@@ -52,9 +58,17 @@ selinux::module { 'resnet-puppet':
 }
 ```
 
+### Set a boolean value
+
+```puppet
+selinux::boolean { 'puppetagent_manage_all_files': }
+```
+
 ## Defined Types
-* `fcontext` - Define fcontext types and equals values
 * `boolean` - Set seboolean values
+* `fcontext` - Define fcontext types and equals values
+* `module` - Manage an SELinux module
+* `permissive` - Set a context to `permissive`.
 * `port` - Set selinux port context policies
 
 

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -25,44 +25,48 @@
     fail("Use of private class ${name} by ${caller_module_name}")
   }
 
-  # Validations
-  validate_re($mode, ['^enforcing$', '^permissive$', '^disabled$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
-  validate_re($type, ['^targeted$', '^minimum$', '^mls$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
-
   file { $selinux::params::sx_mod_dir:
     ensure => directory,
   }
 
-  file_line { "set-selinux-config-to-${mode}":
-    path  => '/etc/selinux/config',
-    line  => "SELINUX=${mode}",
-    match => '^SELINUX=\w+',
-  }
+  if $mode {
+    validate_re($mode, ['^enforcing$', '^permissive$', '^disabled$'], "Valid modes are enforcing, permissive, and disabled.  Received: ${mode}")
 
-  file_line { "set-selinux-config-type-to-${type}":
-    path  => '/etc/selinux/config',
-    line  => "SELINUXTYPE=${type}",
-    match => '^SELINUXTYPE=\w+',
-  }
+    file_line { "set-selinux-config-to-${mode}":
+      path  => '/etc/selinux/config',
+      line  => "SELINUX=${mode}",
+      match => '^SELINUX=\w+',
+    }
 
-  case $mode {
-    permissive, disabled: {
-      $sestatus = '0'
-      if $mode == 'disabled' and defined('$::selinux_current_mode') and $::selinux_current_mode == 'permissive' {
-        notice('A reboot is required to fully disable SELinux. SELinux will operate in Permissive mode until a reboot')
+    case $mode {
+      permissive, disabled: {
+        $sestatus = '0'
+        if $mode == 'disabled' and defined('$::selinux_current_mode') and $::selinux_current_mode == 'permissive' {
+          notice('A reboot is required to fully disable SELinux. SELinux will operate in Permissive mode until a reboot')
+        }
+      }
+      enforcing: {
+        $sestatus = '1'
+      }
+      default : {
+        fail('You must specify a mode (enforced, permissive, or disabled) for selinux operation')
       }
     }
-    enforcing: {
-      $sestatus = '1'
-    }
-    default : {
-      fail('You must specify a mode (enforced, permissive, or disabled) for selinux operation')
+
+    exec { "change-selinux-status-to-${mode}":
+      command => "setenforce ${sestatus}",
+      unless  => "getenforce | grep -qi \"${mode}\\|disabled\"",
+      path    => '/bin:/usr/bin:/usr/sbin',
     }
   }
 
-  exec { "change-selinux-status-to-${mode}":
-    command => "setenforce ${sestatus}",
-    unless  => "getenforce | grep -qi \"${mode}\\|disabled\"",
-    path    => '/bin:/usr/bin:/usr/sbin',
+  if $type {
+    validate_re($type, ['^targeted$', '^minimum$', '^mls$'], "Valid types are targeted, minimum, and mls.  Received: ${type}")
+
+    file_line { "set-selinux-config-type-to-${type}":
+      path  => '/etc/selinux/config',
+      line  => "SELINUXTYPE=${type}",
+      match => '^SELINUXTYPE=\w+',
+    }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -8,8 +8,8 @@
 #
 class selinux::params {
   $sx_mod_dir   = '/usr/share/selinux'
-  $mode         = 'disabled'
-  $type         = 'targeted'
+  $mode         = undef
+  $type         = undef
 
   case $::osfamily {
     'RedHat': {

diff --git a/spec/classes/selinux_config_mode.rb → spec/classes/selinux_config_mode_spec.rb b/spec/classes/selinux_config_mode.rb → spec/classes/selinux_config_mode_spec.rb
@@ -10,6 +10,20 @@
       it { expect { should create_class('selinux') }.to raise_error(/Valid modes are enforcing, permissive, and disabled.  Received: invalid/) }
     end
 
+    context 'undef mode' do
+      it { should have_file_resource_count(1) }
+      it { should have_file_line_resource_count(0) }
+      it { should have_exec_resource_count(0) }
+
+      it { should contain_file('/usr/share/selinux') }
+      it { should_not contain_file_line('set-selinux-config-to-enforcing') }
+      it { should_not contain_file_line('set-selinux-config-to-permissive') }
+      it { should_not contain_file_line('set-selinux-config-to-disabled') }
+      it { should_not contain_exec('change-selinux-status-to-enforcing') }
+      it { should_not contain_exec('change-selinux-status-to-permissive') }
+      it { should_not contain_exec('change-selinux-status-to-disabled') }
+    end
+
     context 'enforcing' do
       let(:params) { { :mode => 'enforcing' } }
 

diff --git a/spec/classes/selinux_config_type_spec.rb b/spec/classes/selinux_config_type_spec.rb
@@ -5,11 +5,22 @@
 
   context 'config' do
 
-    context 'invalid mode' do
+    context 'invalid type' do
       let(:params) { { :type => 'invalid' } }
       it { expect { should create_class('selinux') }.to raise_error(/Valid types are targeted, minimum, and mls.  Received: invalid/) }
     end
 
+    context 'undef type' do
+      it { should have_file_resource_count(1) }
+      it { should have_file_line_resource_count(0) }
+      it { should have_exec_resource_count(0) }
+
+      it { should contain_file('/usr/share/selinux') }
+      it { should_not contain_file_line('set-selinux-config-type-to-targeted') }
+      it { should_not contain_file_line('set-selinux-config-type-to-minimum') }
+      it { should_not contain_file_line('set-selinux-config-type-to-mls') }
+    end
+
     context 'targeted' do
       let(:params) { { :type => 'targeted' } }
 

diff --git a/spec/classes/selinux_spec.rb b/spec/classes/selinux_spec.rb
@@ -9,6 +9,8 @@
     context ctx do
       include_context ctx
 
+      it { should contain_class('selinux').without_mode() }
+      it { should contain_class('selinux').without_type() }
       it { should contain_class('selinux::package') }
       it { should contain_class('selinux::config') }
     end