From 044e5fcfe5e9a61146d26ae3b3cb8d371161c147 Mon Sep 17 00:00:00 2001 From: Doug Brown Date: Wed, 4 May 2016 15:33:48 +1000 Subject: [PATCH] Adding SELinux_Spec support. --- manifests/sudoers.pp | 5 +++++ templates/sudoers.erb | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/manifests/sudoers.pp b/manifests/sudoers.pp index 8dddab8..91715e3 100644 --- a/manifests/sudoers.pp +++ b/manifests/sudoers.pp @@ -27,6 +27,9 @@ # [*runas*] # The user that the command may be run as. # +# [*context*] +# The SELinux domain and role the command will be run as by default. +# # [*cmnds*] # The commands which the user is allowed to run. # @@ -45,6 +48,7 @@ # comment => 'World domination.', # users => ['pinky', 'brain'], # runas => ['root'], +# context => 'TYPE=unconfined_t ROLE=unconfined_r', # cmnds => ['/bin/bash'], # tags => ['NOPASSWD'], # defaults => [ 'env_keep += "SSH_AUTH_SOCK"' ] @@ -66,6 +70,7 @@ $comment = undef, $ensure = 'present', $runas = ['root'], + $context = undef, $tags = [], $defaults = [], ) { diff --git a/templates/sudoers.erb b/templates/sudoers.erb index 1e225cc..e01a585 100644 --- a/templates/sudoers.erb +++ b/templates/sudoers.erb @@ -21,7 +21,7 @@ Defaults!<%= @sane_name.upcase %>_CMNDS <%= @defaults.class == Array ? @defaults <% end -%> <% if @users then -%> -<%= @sane_name.upcase %>_USERS <%= @sane_name.upcase %>_HOSTS = (<%= @sane_name.upcase %>_RUNAS) <%= tags %> <%= @sane_name.upcase %>_CMNDS +<%= @sane_name.upcase %>_USERS <%= @sane_name.upcase %>_HOSTS = (<%= @sane_name.upcase %>_RUNAS) <%= @context.class == String ? @context %> <%= tags %> <%= @sane_name.upcase %>_CMNDS <% else -%> -%<%= @group %> <%= @sane_name.upcase %>_HOSTS = (<%= @sane_name.upcase %>_RUNAS) <%= tags %> <%= @sane_name.upcase %>_CMNDS +%<%= @group %> <%= @sane_name.upcase %>_HOSTS = (<%= @sane_name.upcase %>_RUNAS) <%= @context.class == String ? @context %> <%= tags %> <%= @sane_name.upcase %>_CMNDS <% end -%>