Puppet module to manage apparmor profiles.
IN PROGRESS, UNSTABLE
This puppet module allows management of AppArmor profiles. Apparmor is an implementation of Mandatory Access Control model (similar to Selinux) used in Ubuntu and Suse for the isolation of applications running on the same host.
- Different apparmor modes are supported (enforced, complain, disabled)
- Apparmor modes can be switched for the existing apparmor profiles (e.g. shipped with OS)
- Custom apparmor profiles can be installed
- Custom apparmor profiles may contain parametes expanded via puppet variables (might be usefull if you want to use this module from another puppet module, which installes and configures something)
- Ubuntu Linux
- Tested on 12.04 and 14.04
- Puppet >2.7.x (tested on puppet 2.7.11)
- Suse Linux isn't supported yet, but it should be easy to adapt it (pull requests are welcome)
- Template functionality isn't fully implemented yet
This module uses both module types of puppet: native ruby type/provider and puppet DSL module:
- Native ruby type
apparmor_profile
is used for apparmor runtime configuration/control and ideally shouldn't be invoked directly apparmor::*
is a puppet DSL module, whereapparmor::profile
builds an overlay over the native module an extends the functionality with templates file management of profiles
Folder structure:
lib/
- native ruby type and provider, incl helper functionsmanifests/
- puppet DSL codeinit.pp
-apparmor
initialization class, ensures the installation and service configuration of apparmor. Included by other classes/typesinstall.pp
-apparmor::install
class, installs apparmor packagesparams.pp
-apparmor::params
class, some global defaults reused in other classesprofile.pp
-apparmor::profile
type, main entry point for managing apparmor profilesservice.pp
-apparmor::service
class, controlls the apparmor service
spec/
- puppet unit tests.travis.yml
,Rakefile
,.gemfile
,.fixtures.yml
- used for travis CI tests
Controlling an existing default profile
apparmor::profile{"/sbin/dhclient":
#possible options: enforced, complain, disabled, absent
ensure => enforced,
}
Rolling out a new profile without parameters
apparmor::profile{"/sbin/dhclient":
ensure => enforced,
source => 'puppet:///modules/site_something/sbin.dhclient',
}
Rolling out a new profile with parameters
apparmor::profile{"/sbin/dhclient":
ensure => enforced,
template => 'site_something/sbin.dhclient.erb',
template_vars => { hash_structure TBD },
}
Please use GitHub Pull requests for this.
Copyright 2014-2015 Artem Sidorenko and contributors.
Copyright 2014 Deutsche Telekom AG
See the COPYRIGHT file at the top-level directory of this distribution and at https://github.com/artem-sidorenko/puppet-apparmor/blob/master/COPYRIGHT