Details
-
New Feature
-
Status: Accepted
-
Normal
-
Resolution: Unresolved
-
None
-
None
-
None
-
Night's Watch
-
Needs Assessment
Description
Puppet Version: Any
Puppet Server Version: Any
OS Name/Version: RHEL OS Family, or any SELinux enabled system
Would like to be able to set the selinux 'user' context for a linux user via puppet user resource. This equates to the user resource having access to useradd's -Z flag.
We are required to set all linux systems to have a default selinux user context that is not unconfined_u, and assign all system users to an selinux user that applies user_u or staff_u context to the user. Today my puppet code which manages accounts (not puppetlabs-accounts module) must use exec resources to assign a user to the appropriate selinux user. It would be nice to just have an param in Puppet's user resource to make this happen.
Desired Behavior:
user { 'test-admin':
ensure => present,
selinux => $::selinux_admins,
...
}user { 'test-user':
ensure => present,
selinux => $::selinux_users,
...
}
Actual Behavior:
User resource is not yet capable of allowing customization for selinux user contexts. There also do not seem to be puppet resources relating to selinux logins or user contexts, but that is more manageable outside of a puppet resource, because it's a define once per system kind of thing, whereas this selinux user role is defined per user, and using exec resources get messy to undo when setting the user to absent.
