Using semanage to control port security

[BKeep]

Hi, I would like to start off with saying how much I am liking SaltStack. I recently started using it and am finding it pretty easy to get up to speed on, even without being a programmer. One of the things I am doing to help get me up to speed is writing state files for a logging environment that is already stood up. I figure if I can learn how to validate my existing setup then that should give me a good foundation to move forward with Salt.

Part of the build process for log aggregation nodes living in remote locations is to open port 1514. Servers run with selinux turned on so this has to be explicitly allowed with semanage. How can I make this happen if the port is not already allowed and then once it is setup, make sure it doesn't get applied every time I  run a highstate?

semanage port -a -t syslogd_port_t -p tcp 1514

semanage port -l | grep syslog 
returns information on my specific port
syslog_tls_port_t              tcp      6514
syslog_tls_port_t              udp      6514
syslogd_port_t                 tcp      1514, 601
syslogd_port_t                 udp      514, 601

Any help is appreciated.
Regards,
Brandon

[BKeep]

I think i found a suitable solution. At the end of every linux rainbow is a text file ;)

command-rsyslog-tcp-1514-port:
  cmd.run:
    - name: semanage port -a -t syslogd_port_t -p tcp 1514
    - stateful: True
    - unless: grep 1514 /etc/selinux/targeted/modules/active/ports.local

[Loren Gordon]

That should work, but I don't think you want the `stateful` argument in this case. If you use `stateful`, then salt expects the command to manage it's own state (i.e. test if changes need to be made, make changes if so, test that changes were made successfully, return structured data about what changes were made if any).

https://docs.saltstack.com/en/latest/ref/states/all/salt.states.cmd.html

And here's a blog I found discussing how to write a stateful command.

http://bencane.com/2013/09/23/remote-command-execution-with-saltstack/

-Loren