From 1f43d95e12c1b92b8c197dcd68152a026b2f22c1 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 2 Nov 2025 14:39:12 +0100 Subject: [PATCH 1/2] set seliux contexts for all files and directories - https://gitlab.confdroid.com/internal/confdroid_management/-/issues/292 --- manifests/main/files.pp | 89 ++++++++++++++++++++++++----------------- 1 file changed, 53 insertions(+), 36 deletions(-) diff --git a/manifests/main/files.pp b/manifests/main/files.pp index 74b7a41..ad0c257 100644 --- a/manifests/main/files.pp +++ b/manifests/main/files.pp @@ -10,13 +10,17 @@ class puppet_cd::main::files ( if $fqdn != $pt_pm_fqdn { file { $pt_puppet_conf_file: - ensure => file, - path => $pt_puppet_conf_file, - owner => 'root', - group => 'root', - mode => '0644', - content => template($pt_puppet_conf_erb), - notify => Service[$pt_agent_service], + ensure => file, + path => $pt_puppet_conf_file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_puppet_conf_erb), + notify => Service[$pt_agent_service], } if $pt_use_puppetdb == true { file { $pt_node_rb_file: @@ -39,45 +43,58 @@ class puppet_cd::main::files ( if $fqdn == $pt_pm_fqdn { file { $pt_puppet_conf_file: - ensure => file, - path => $pt_puppet_conf_file, - owner => 'root', - group => 'root', - mode => '0644', - content => template($pt_puppet_conf_erb), - notify => Service[$pt_agent_service,$pt_server_service], + ensure => file, + path => $pt_puppet_conf_file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_puppet_conf_erb), + notify => Service[$pt_agent_service,$pt_server_service], } if $pt_use_puppetdb == true { # puppetdb file { $pt_puppetdb_conf_file: - ensure => file, - path => $pt_puppetdb_conf_file, - owner => 'root', - group => 'root', - mode => '0644', - content => template($pt_puppetdb_conf_erb), - notify => Service[$pt_agent_service,$pt_server_service], + ensure => file, + path => $pt_puppetdb_conf_file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_puppetdb_conf_erb), + notify => Service[$pt_agent_service,$pt_server_service], } # routes.yaml file { $pt_routes_file: - ensure => file, - path => $pt_routes_file, - owner => 'root', - group => 'root', - mode => '0644', - content => template($pt_routes_erb), - notify => Service[$pt_server_service], + ensure => file, + path => $pt_routes_file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => puppet_etc_t, + seluser => system_u, + content => template($pt_routes_erb), + notify => Service[$pt_server_service], } file { $pt_node_rb_file: - ensure => file, - owner => 'puppet', - group => 'puppet', - mode => '0550', - selrole => object_r, - seltype => foreman_enc_t, - seluser => system_u, - content => template($pt_node_rb_erb), + ensure => file, + owner => 'puppet', + group => 'puppet', + mode => '0550', + selrange => s0, + selrole => object_r, + seltype => foreman_enc_t, + seluser => system_u, + content => template($pt_node_rb_erb), } } if $pt_use_puppetdb != true { From 256ba638ffd37b56d74b2ce24aae6030a1bc490f Mon Sep 17 00:00:00 2001 From: Jenkins Server Date: Sun, 2 Nov 2025 14:40:43 +0100 Subject: [PATCH 2/2] Recommit for updates in build 105 --- .../puppet_cd_3A_3Amain_3A_3Afiles.html | 108 ++++++++++++------ 1 file changed, 71 insertions(+), 37 deletions(-) diff --git a/doc/puppet_classes/puppet_cd_3A_3Amain_3A_3Afiles.html b/doc/puppet_classes/puppet_cd_3A_3Amain_3A_3Afiles.html index 80793e0..2cd6aea 100644 --- a/doc/puppet_classes/puppet_cd_3A_3Amain_3A_3Afiles.html +++ b/doc/puppet_classes/puppet_cd_3A_3Amain_3A_3Afiles.html @@ -187,7 +187,24 @@ 89 90 91 -92 +92 +93 +94 +95 +96 +97 +98 +99 +100 +101 +102 +103 +104 +105 +106 +107 +108 +109 
# File 'manifests/main/files.pp', line 6
@@ -199,13 +216,17 @@ class puppet_cd::main::files (
 
   if $fqdn != $pt_pm_fqdn {
     file { $pt_puppet_conf_file:
-      ensure  => file,
-      path    => $pt_puppet_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppet_conf_erb),
-      notify  => Service[$pt_agent_service],
+      ensure   => file,
+      path     => $pt_puppet_conf_file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_puppet_conf_erb),
+      notify   => Service[$pt_agent_service],
     }
     if $pt_use_puppetdb == true {
       file { $pt_node_rb_file:
@@ -228,45 +249,58 @@ class puppet_cd::main::files (
 
   if $fqdn == $pt_pm_fqdn {
     file { $pt_puppet_conf_file:
-      ensure  => file,
-      path    => $pt_puppet_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppet_conf_erb),
-      notify  => Service[$pt_agent_service,$pt_server_service],
+      ensure   => file,
+      path     => $pt_puppet_conf_file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_puppet_conf_erb),
+      notify   => Service[$pt_agent_service,$pt_server_service],
     }
 
     if $pt_use_puppetdb == true {
       # puppetdb
       file { $pt_puppetdb_conf_file:
-        ensure  => file,
-        path    => $pt_puppetdb_conf_file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        content => template($pt_puppetdb_conf_erb),
-        notify  => Service[$pt_agent_service,$pt_server_service],
+        ensure   => file,
+        path     => $pt_puppetdb_conf_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_puppetdb_conf_erb),
+        notify   => Service[$pt_agent_service,$pt_server_service],
       }
       # routes.yaml
       file { $pt_routes_file:
-        ensure  => file,
-        path    => $pt_routes_file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        content => template($pt_routes_erb),
-        notify  => Service[$pt_server_service],
+        ensure   => file,
+        path     => $pt_routes_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_routes_erb),
+        notify   => Service[$pt_server_service],
       }
       file { $pt_node_rb_file:
-        ensure  => file,
-        owner   => 'puppet',
-        group   => 'puppet',
-        mode    => '0550',
-        selrole => object_r,
-        seltype => foreman_enc_t,
-        seluser => system_u,
-        content => template($pt_node_rb_erb),
+        ensure   => file,
+        owner    => 'puppet',
+        group    => 'puppet',
+        mode     => '0550',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => foreman_enc_t,
+        seluser  => system_u,
+        content  => template($pt_node_rb_erb),
       }
     }
     if $pt_use_puppetdb != true {