Ben Vincent
f4ac1f2000
- add route-reflector role and hieradata - enable using dhcp in networkd - add hieradata/node/* entries for route-reflectors
49 lines
1.3 KiB
Puppet
49 lines
1.3 KiB
Puppet
# this is a modification to frr-selinux that ships with EL9, adding support for frr10
|
|
class profiles::selinux::frr {
|
|
|
|
$frr_te_content = @("EOF")
|
|
module frr_local 1.0;
|
|
|
|
require {
|
|
type frr_t;
|
|
type initrc_t;
|
|
type kernel_t;
|
|
type var_run_t;
|
|
type frr_tmp_t;
|
|
type frr_var_run_t;
|
|
type init_t;
|
|
class unix_stream_socket connectto;
|
|
class system module_request;
|
|
class sock_file { getattr write };
|
|
class dir { add_name write };
|
|
class file { create write open };
|
|
class process setpgid;
|
|
}
|
|
|
|
#============= frr_t ==============
|
|
allow frr_t initrc_t:unix_stream_socket connectto;
|
|
allow frr_t kernel_t:system module_request;
|
|
allow frr_t var_run_t:sock_file { getattr write };
|
|
|
|
#============= init_t ==============
|
|
allow init_t frr_tmp_t:dir add_name;
|
|
allow init_t frr_var_run_t:dir { write add_name };
|
|
allow init_t frr_var_run_t:file { create open write };
|
|
allow init_t self:process setpgid;
|
|
| EOF
|
|
|
|
if $facts['virtual'] != 'lxc' {
|
|
selinux::module { 'frr_local':
|
|
ensure => 'present',
|
|
content_te => $frr_te_content,
|
|
builder => 'simple',
|
|
before => Service['frr'],
|
|
}
|
|
selboolean { 'domain_can_mmap_files':
|
|
value => 'on',
|
|
persistent => true,
|
|
before => Service['frr'],
|
|
}
|
|
}
|
|
}
|