set seliux contexts for all files and directories - https://gitlab.confdroid.com/internal/confdroid_management/-/issues/292

2025-11-02 14:39:12 +01:00
parent 9fb5422b4b
commit 1f43d95e12
1 changed files with 53 additions and 36 deletions
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -10,13 +10,17 @@ class puppet_cd::main::files (

  if $fqdn != $pt_pm_fqdn {
    file { $pt_puppet_conf_file:
-      ensure  => file,
-      path    => $pt_puppet_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppet_conf_erb),
-      notify  => Service[$pt_agent_service],
+      ensure   => file,
+      path     => $pt_puppet_conf_file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_puppet_conf_erb),
+      notify   => Service[$pt_agent_service],
    }
    if $pt_use_puppetdb == true {
      file { $pt_node_rb_file:
@@ -39,45 +43,58 @@ class puppet_cd::main::files (

  if $fqdn == $pt_pm_fqdn {
    file { $pt_puppet_conf_file:
-      ensure  => file,
-      path    => $pt_puppet_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppet_conf_erb),
-      notify  => Service[$pt_agent_service,$pt_server_service],
+      ensure   => file,
+      path     => $pt_puppet_conf_file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_puppet_conf_erb),
+      notify   => Service[$pt_agent_service,$pt_server_service],
    }

    if $pt_use_puppetdb == true {
      # puppetdb
      file { $pt_puppetdb_conf_file:
-        ensure  => file,
-        path    => $pt_puppetdb_conf_file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        content => template($pt_puppetdb_conf_erb),
-        notify  => Service[$pt_agent_service,$pt_server_service],
+        ensure   => file,
+        path     => $pt_puppetdb_conf_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_puppetdb_conf_erb),
+        notify   => Service[$pt_agent_service,$pt_server_service],
      }
      # routes.yaml
      file { $pt_routes_file:
-        ensure  => file,
-        path    => $pt_routes_file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        content => template($pt_routes_erb),
-        notify  => Service[$pt_server_service],
+        ensure   => file,
+        path     => $pt_routes_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_routes_erb),
+        notify   => Service[$pt_server_service],
      }
      file { $pt_node_rb_file:
-        ensure  => file,
-        owner   => 'puppet',
-        group   => 'puppet',
-        mode    => '0550',
-        selrole => object_r,
-        seltype => foreman_enc_t,
-        seluser => system_u,
-        content => template($pt_node_rb_erb),
+        ensure   => file,
+        owner    => 'puppet',
+        group    => 'puppet',
+        mode     => '0550',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => foreman_enc_t,
+        seluser  => system_u,
+        content  => template($pt_node_rb_erb),
      }
    }
    if $pt_use_puppetdb != true {