diff options
| -rw-r--r-- | lib/puppet/type/file/selcontext.rb | 25 | ||||
| -rw-r--r-- | lib/puppet/type/selboolean.rb | 8 | ||||
| -rw-r--r-- | lib/puppet/type/selmodule.rb | 20 |
3 files changed, 38 insertions, 15 deletions
diff --git a/lib/puppet/type/file/selcontext.rb b/lib/puppet/type/file/selcontext.rb index b2c89e6f8..d5111caf8 100644 --- a/lib/puppet/type/file/selcontext.rb +++ b/lib/puppet/type/file/selcontext.rb @@ -56,28 +56,45 @@ module Puppet end Puppet.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do - desc "What the SELinux User context of the file should be." + desc "What the SELinux user component of the context of the file should be. + Any valid SELinux user component is accepted. For example ``user_u``. + If not specified it defaults to the value returned by matchpathcon for + the file, if any exists. Only valid on systems with SELinux support + enabled." @event = :file_changed defaultto { self.retrieve_default_context(:seluser) } end Puppet.type(:file).newproperty(:selrole, :parent => Puppet::SELFileContext) do - desc "What the SELinux Role context of the file should be." + desc "What the SELinux role component of the context of the file should be. + Any valid SELinux role component is accepted. For example ``role_r``. + If not specified it defaults to the value returned by matchpathcon for + the file, if any exists. Only valid on systems with SELinux support + enabled." @event = :file_changed defaultto { self.retrieve_default_context(:selrole) } end Puppet.type(:file).newproperty(:seltype, :parent => Puppet::SELFileContext) do - desc "What the SELinux Type context of the file should be." + desc "What the SELinux type component of the context of the file should be. + Any valid SELinux type component is accepted. For example ``tmp_t``. + If not specified it defaults to the value returned by matchpathcon for + the file, if any exists. Only valid on systems with SELinux support + enabled." @event = :file_changed defaultto { self.retrieve_default_context(:seltype) } end Puppet.type(:file).newproperty(:selrange, :parent => Puppet::SELFileContext) do - desc "What the SELinux Range context of the file should be." + desc "What the SELinux range component of the context of the file should be. + Any valid SELinux range component is accepted. For example ``s0`` or + ``SystemHigh``. If not specified it defaults to the value returned by + matchpathcon for the file, if any exists. Only valid on systems with + SELinux support enabled and that have support for MCS (Multi-Category + Security)." @event = :file_changed defaultto { self.retrieve_default_context(:selrange) } diff --git a/lib/puppet/type/selboolean.rb b/lib/puppet/type/selboolean.rb index d12dd3bcb..b1f12cae4 100644 --- a/lib/puppet/type/selboolean.rb +++ b/lib/puppet/type/selboolean.rb @@ -4,7 +4,8 @@ module Puppet newtype(:selboolean) do - @doc = "Enable or disable SELinux booleans." + @doc = "Manages SELinux booleans on systems with SELinux support. The supported booleans + are any of the ones found in /selinux/booleans/." newparam(:name) do desc "The name of the SELinux boolean to be managed." @@ -12,13 +13,14 @@ module Puppet end newproperty(:value) do - desc "Whether the the SELinux boolean should be enabled or disabled. Possible values are ``on`` or ``off``." + desc "Whether the the SELinux boolean should be enabled or disabled." newvalue(:on) newvalue(:off) end newparam(:persistent) do - desc "If set true, SELinux booleans will be written to disk and persist accross reboots." + desc "If set true, SELinux booleans will be written to disk and persist accross reboots. + The default is ``false``." defaultto :false newvalues(:true, :false) diff --git a/lib/puppet/type/selmodule.rb b/lib/puppet/type/selmodule.rb index 1f02912ad..883cd954d 100644 --- a/lib/puppet/type/selmodule.rb +++ b/lib/puppet/type/selmodule.rb @@ -3,36 +3,40 @@ # Puppet::Type.newtype(:selmodule) do - @doc = "Enable or disable SELinux policy modules." + @doc = "Manages loading and unloading of SELinux policy modules + on the system. Requires SELinux support. See man semodule(8) + for more information on SELinux policy modules." ensurable newparam(:name) do - desc "The name of the SELinux policy to be managed." + desc "The name of the SELinux policy to be managed. You should not + include the customary trailing .pp extension." isnamevar end newparam(:selmoduledir) do desc "The directory to look for the compiled pp module file in. - Currently defaults to /usr/share/selinux/targeted" + Currently defaults to /usr/share/selinux/targeted. If selmodulepath + is not specified the module will be looked for in this directory in a + in a file called NAME.pp, where NAME is the value of the name parameter." defaultto "/usr/share/selinux/targeted" end newparam(:selmodulepath) do - desc "The full path in which to look for the compiled pp - module file in. You only need to use this if the module file - is not in the directory pointed at by selmoduledir." + desc "The full path to the compiled .pp policy module. You only need to use + this if the module file is not in the directory pointed at by selmoduledir." end newproperty(:syncversion) do - desc "If set to 'true', the policy will be reloaded if the + desc "If set to ``true``, the policy will be reloaded if the version found in the on-disk file differs from the loaded - version. If set to 'false' (the default) the the only check + version. If set to ``false`` (the default) the the only check that will be made is if the policy is loaded at all or not." newvalue(:true) |