Add port management in api feature for selinux

voxpupuli · Jul 8, 2024 · be363f1 · be363f1
1 parent 739ba52
commit be363f1
Showing 1 changed file with 12 additions and 12 deletions.
diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp
@@ -359,21 +359,21 @@
   create_resources('icinga2::object::endpoint', $endpoints)
   create_resources('icinga2::object::zone', $zones)
 
-#  if $manage_selinux {
+  if $manage_selinux and $bind_port {
     # if port is free
-#    exec { "Add port ${bind_port} for icinga2_port_t":
-#      command => ['/usr/sbin/semanage', 'port', '-a', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port],
-#      unless  => "/usr/sbin/semanage port -l | grep -qw '^icinga2_port_t.*\s${bind_port}'",
-#      before  => Icinga2::Object['icinga2::object::ApiListener::api'],
-#    }
+    exec { "Add port ${bind_port} for icinga2_port_t":
+      command => ['/usr/sbin/semanage', 'port', '-a', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port],
+      unless  => "/usr/sbin/semanage port -l | grep -qw '\\s${bind_port}'",
+      before  => Icinga2::Object['icinga2::object::ApiListener::api'],
+    }
 
     # if port is also used by another app
-#    exec { "Also open available port ${bind_port} for icinga2_port_t":
-#      command => ['/usr/sbin/semanage', 'port', '-m', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port],
-#      onlyif  => "/usr/sbin/semanage port -l | grep -qw '^!icinga2_port_t.*\s${bind_port}'",
-#      before  => Icinga2::Object['icinga2::object::ApiListener::api'],
-#    }
-#  }
+    exec { "Add available port ${bind_port} also for icinga2_port_t":
+      command => ['/usr/sbin/semanage', 'port', '-m', '-t', 'icinga2_port_t', '-p', 'tcp', $bind_port],
+      onlyif  => "/usr/sbin/semanage port -l | grep -wv '^icinga2_port_t' | grep -wq '\s${bind_port}'",
+      before  => Icinga2::Object['icinga2::object::ApiListener::api'],
+    }
+  }
 
   # create object
   icinga2::object { 'icinga2::object::ApiListener::api':