neoloc/mpls_ldp_frr (#255)

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/255
This commit was merged in pull request #255.
This commit is contained in:
2025-04-24 16:51:31 +10:00
parent c24babe309
commit 2321186ad5
7 changed files with 121 additions and 4 deletions
+47
View File
@@ -0,0 +1,47 @@
# this is a modification to frr-selinux that ships with EL9, adding support for frr10
class profiles::selinux::frr {
$frr_te_content = @("EOF")
module frr_local 1.0;
require {
type frr_t;
type initrc_t;
type kernel_t;
type var_run_t;
type frr_tmp_t;
type frr_var_run_t;
type init_t;
class unix_stream_socket connectto;
class system module_request;
class sock_file { getattr write };
class dir { add_name write };
class file { create write open };
class process setpgid;
}
#============= frr_t ==============
allow frr_t initrc_t:unix_stream_socket connectto;
allow frr_t kernel_t:system module_request;
allow frr_t var_run_t:sock_file { getattr write };
#============= init_t ==============
allow init_t frr_tmp_t:dir add_name;
allow init_t frr_var_run_t:dir { write add_name };
allow init_t frr_var_run_t:file { create open write };
allow init_t self:process setpgid;
| EOF
selinux::module { 'frr_local':
ensure => 'present',
content_te => $frr_te_content,
builder => 'simple',
before => Service['frr'],
}
selboolean { 'domain_can_mmap_files':
value => 'on',
persistent => true,
before => Service['frr'],
}
}