support simple module building

files/selinux_build_module.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+module_name="$1"
+set -e
+checkmodule -M -m -o ${module_name}.mod ${module_name}.te
+package_args="-o ${module_name}.pp -m ${module_name}.mod"
+if [ -f "${module_name}.fc" ]; then
+    package_args="${package_args} --fc ${module_name}.fc"
+fi
+
+semodule_package ${package_args}

lib/facter/selinux_agent_vardir.rb

@@ -0,0 +1,6 @@
+require 'puppet'
+Facter.add(:selinux_agent_vardir) do
+  setcode do
+    Puppet.settings['vardir']
+  end
+end

manifests/config/module_build.pp

@@ -0,0 +1,35 @@
+# @help
+class selinux::config::module_build(
+  String $module_build_root = $::selinux::module_build_root
+) inherits ::selinux {
+
+  validate_absolute_path($module_build_root)
+
+  File {
+    owner => 'root',
+    group => 'root',
+    mode  => '0644',
+  }
+
+  file {"${module_build_root}":
+    ensure => 'directory',
+  }
+
+  # put helper in place:
+  file {"${module_build_root}/modules/selinux_build_module.sh":
+    ensure => 'present',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+    source => "puppet:///modules/${module_name}/selinux_build_module.sh"
+  }
+
+  $module_build_dir = "${module_build_root}/modules"
+
+  file {$module_build_dir:
+    ensure  => 'directory',
+    recurse => true,
+    purge   => true,
+    force   => true,
+  }
+}

manifests/init.pp

@@ -31,12 +31,13 @@
 # @param port Hash of selinux::port resource parameters
 #
 class selinux (
-  $mode           = $::selinux::params::mode,
-  $type           = $::selinux::params::type,
-  $sx_mod_dir     = $::selinux::params::sx_mod_dir,
-  $makefile       = $::selinux::params::makefile,
-  $manage_package = $::selinux::params::manage_package,
-  $package_name   = $::selinux::params::package_name,
+  $mode              = $::selinux::params::mode,
+  $type              = $::selinux::params::type,
+  $sx_mod_dir        = $::selinux::params::sx_mod_dir,
+  $makefile          = $::selinux::params::makefile,
+  $manage_package    = $::selinux::params::manage_package,
+  $package_name      = $::selinux::params::package_name,
+  $module_build_root = $::selinux::params::module_build_root,
 
   ### START Hiera Lookups ###
   $boolean        = undef,

manifests/module.pp

@@ -27,72 +27,82 @@
   Optional[String] $source_fc = undef,
   Optional[String] $source_if = undef,
   Enum['absent', 'present'] $ensure = 'present',
+  Enum['simple', 'refpolicy'] $builder = 'refpolicy',
   $syncversion  = undef,
 ) {
 
-  require ::selinux::config::module
+  require ::selinux::config::module_build
   include ::selinux
+
+  # let's just make doubly sure that this is an absolute path:
+  validate_absolute_path($::selinux::config::module_build::module_build_dir)
+
+  $module_dir = "$::selinux::config::module_build::module_build_dir/${title}"
+  $module_file = "${module_dir}/${title}"
+
+  $build_command = $builder ? {
+      'simple'    => shellquote("${$::selinux::config::module_build::module_build_dir}/selinux_build_module.sh", $title),
+      'refpolicy' => shellquote('make', '-f', '/usr/share/selinux/devel/Makefile', "${title}.pp")
+  }
 
   Anchor['selinux::module pre'] ->
   Selinux::Module[$title] ->
   Anchor['selinux::module post']
   $has_source = (pick($source_te, $source_fc, $source_if, false) != false)
 
   if $has_source and $ensure == 'present' {
-    # build module
-
-    file {"/var/lib/puppet-selinux/modules/${title}":
+    file {"${module_dir}":
       ensure  => directory,
     }
+
     if $source_te {
-      file {"/var/lib/puppet-selinux/modules/${title}/${title}.te":
+      file {"${module_file}.te":
         ensure => 'file',
         source => $source_te,
         notify => Exec["clean-module-${title}"]
       }
     }
     if $source_fc {
-      file {"/var/lib/puppet-selinux/modules/${title}/${title}.fc":
+      file {"${module_file}.fc":
         ensure => 'file',
         source => $source_fc,
         notify => Exec["clean-module-${title}"]
       }
     }
     if $source_if {
-      file {"/var/lib/puppet-selinux/modules/${title}/${title}.if":
+      file {"${module_file}.if":
         ensure => 'file',
         source => $source_if,
         notify => Exec["clean-module-${title}"]
       }
     }
     exec { "clean-module-${title}":
-      cwd         => "/var/lib/puppet-selinux/modules/${title}",
       path        => '/bin:/usr/bin',
+      cwd         => $module_dir,
       command     => "rm -f '${title}.pp' loaded",
       refreshonly => true,
       notify      => Exec["build-module-${title}"]
     }
 
-    $build_command = "make -f /usr/share/selinux/devel/Makefile ${title}.pp"
     exec { "build-module-${title}":
       path    => '/bin:/usr/bin',
-      cwd     => "/var/lib/puppet-selinux/modules/${title}",
+      cwd     => $module_dir,
       command => "${build_command} || (rm -f ${title}.pp loaded && exit 1)",
-      creates => "/var/lib/puppet-selinux/modules/${title}/${title}.pp",
+      creates => "${module_file}.pp",
       notify  => Exec["install-module-${title}"]
     }
     # we need to install the module manually because selmodule is kind of dumb. It ends up
     # working fine, though.
     exec { "install-module-${title}":
-      cwd     => "/var/lib/puppet-selinux/modules/${title}",
       path    => '/sbin:/usr/sbin:/bin:/usr/bin',
-      command => "semodule -i /var/lib/puppet-selinux/modules/${title}/${title}.pp && touch loaded",
-      creates => "/var/lib/puppet-selinux/modules/${title}/loaded",
+      cwd     => $module_dir,
+      command => "semodule -i ${title}.pp && touch loaded",
+      creates => "${module_dir}/loaded",
       before  => Selmodule[$title],
     }
   }
   $module_path = $has_source ? {
-    true  => "/var/lib/puppet-selinux/modules/${title}/${title}.pp",
+    true  => "${module_file}.pp",
     false => undef
   }
 

manifests/params.pp

@@ -12,6 +12,9 @@
   $type           = undef
   $manage_package = true
 
+  validate_absolute_path($::selinux_agent_vardir)
+  $module_build_root = "${::selinux_agent_vardir}/puppet-selinux"
+
   if $::operatingsystemmajrelease {
     $os_maj_release = $::operatingsystemmajrelease
   } else {