kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Add new Redis cookbook

Browse Source
This commit is contained in:
Basti
2021-11-16 13:25:30 -06:00
parent 80ec84782b
commit 18f65c4fc5
66 changed files with 5780 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
cookbooks/selinux/resources/boolean.rb Normal file
View File

@@ -0,0 +1,56 @@
#
# Cookbook:: selinux
# Resource:: boolean
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :boolean, String,
name_property: true,
description: 'SELinux boolean to set'
property :value, [Integer, String, true, false],
required: true,
equal_to: %w(on off),
coerce: proc { |p| SELinux::Cookbook::BooleanHelpers.selinux_bool(p) },
description: 'SELinux boolean value'
property :persistent, [true, false],
default: true,
desired_state: false,
description: 'Set to true for value setting to survive reboot'
load_current_value do |new_resource|
value shell_out!("getsebool #{new_resource.boolean}").stdout.split('-->').map(&:strip).last
end
action_class do
include SELinux::Cookbook::StateHelpers
end
action :set do
if selinux_disabled?
Chef::Log.warn("Unable to set SELinux boolean #{new_resource.name} as SELinux is disabled")
return
end
converge_if_changed do
cmd = 'setsebool'
cmd += ' -P' if new_resource.persistent
cmd += " #{new_resource.boolean} #{new_resource.value}"
shell_out!(cmd)
end
end

132
cookbooks/selinux/resources/fcontext.rb Normal file
View File

@@ -0,0 +1,132 @@
#
# Cookbook:: selinux
# Resource:: fcontext
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :file_spec, String,
name_property: true,
description: 'Path to or regex matching the files or directoriesto label'
property :secontext, String,
required: %i(add modify manage),
description: 'SELinux context to assign'
property :file_type, String,
default: 'a',
equal_to: %w(a f d c b s l p),
description: 'The type of the file being labeled'
action_class do
include SELinux::Cookbook::StateHelpers
def current_file_context
file_hash = {
'a' => 'all files',
'f' => 'regular file',
'd' => 'directory',
'c' => 'character device',
'b' => 'block device',
's' => 'socket',
'l' => 'symbolic link',
'p' => 'named pipe',
}
contexts = shell_out!('semanage fcontext -l').stdout.split("\n")
# pull out file label from user:role:type:level context string
contexts.grep(/^#{Regexp.escape(new_resource.file_spec)}\s+#{file_hash[new_resource.file_type]}/) do |c|
c.match(/.+ (?<user>.+):(?<role>.+):(?<type>.+):(?<level>.+)$/)[:type]
# match returns ['foo'] or [], shift converts that to 'foo' or nil
end.shift
end
# Run restorecon to fix label
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
def relabel_files
spec = new_resource.file_spec
escaped = Regexp.escape spec
# find common path between regex and string
common = if spec == escaped
spec
else
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
::File.dirname spec[0...index]
end
# if path is not absolute, ignore it and search everything
common = '/' if common[0] != '/'
if ::File.exist? common
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 | xargs -0 restorecon -iRv")
end
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :addormodify do
Chef::Log.warn('The :addormodify action for selinux_fcontext is deprecated and will be removed in a future release. Use the :manage action instead.')
run_action(:manage)
end
# Create if doesn't exist, do not touch if fcontext is already registered
action :add do
if selinux_disabled?
Chef::Log.warn("Unable to add SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
unless current_file_context
converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do
shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
relabel_files
end
end
end
# Only modify if fcontext exists & doesn't have the correct label already
action :modify do
if selinux_disabled?
Chef::Log.warn("Unable to modify SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
if current_file_context && current_file_context != new_resource.secontext
converge_by "modifying label #{new_resource.secontext} to #{new_resource.file_spec}" do
shell_out!("semanage fcontext -m -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
relabel_files
end
end
end
# Delete if exists
action :delete do
if selinux_disabled?
Chef::Log.warn("Unable to delete SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
if current_file_context
converge_by "deleting label for #{new_resource.file_spec}" do
shell_out!("semanage fcontext -d -f #{new_resource.file_type} '#{new_resource.file_spec}'")
relabel_files
end
end
end

54
cookbooks/selinux/resources/install.rb Normal file
View File

@@ -0,0 +1,54 @@
#
# Cookbook:: selinux
# Resource:: install
#
# Copyright:: 2016-2021, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
include SELinux::Cookbook::InstallHelpers
property :packages, [String, Array],
default: lazy { default_install_packages },
description: 'SELinux packages for system'
action_class do
def do_package_action(action)
# friendly message for unsupported platforms
raise "The platform #{node['platform']} is not currently supported by the `selinux_install` resource. Please file an issue at https://github.com/sous-chefs/selinux/issues/new with details on the platform this cookbook is running on." if new_resource.packages.nil?
package 'selinux' do
package_name new_resource.packages
action action
end
end
end
action :install do
do_package_action(action)
directory '/etc/selinux' do
owner 'root'
group 'root'
mode '0755'
action :create
end
end
%i(upgrade remove).each do |a|
action a do
do_package_action(a)
end
end

125
cookbooks/selinux/resources/module.rb Normal file
View File

@@ -0,0 +1,125 @@
#
# Cookbook:: selinux
# Resource:: module
#
# Copyright:: 2016-2021, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
property :module_name, String,
name_property: true,
description: 'Override the module name'
property :source, String,
description: 'Module source file name'
property :content, String,
description: 'Module source as String'
property :cookbook, String,
default: lazy { cookbook_name },
description: 'Cookbook to source from module source file from'
property :base_dir, String,
default: '/etc/selinux/local',
description: 'Directory to create module source file in'
action_class do
def selinux_module_filepath(type)
path = ::File.join(new_resource.base_dir, "#{new_resource.module_name}")
path.concat(".#{type}") if type
end
def list_installed_modules
shell_out!('semodule --list-modules').stdout.split("\n").map { |x| x.split(/\s/).first }
end
end
action :create do
directory new_resource.base_dir
if property_is_set?(:content)
file selinux_module_filepath('te') do
content new_resource.content
mode '0600'
owner 'root'
group 'root'
action :create
notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
end
else
cookbook_file selinux_module_filepath('te') do
cookbook new_resource.cookbook
source new_resource.source
mode '0600'
owner 'root'
group 'root'
action :create
notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
end
end
execute "Compiling SELinux modules at '#{new_resource.base_dir}'" do
cwd new_resource.base_dir
command "make -C #{new_resource.base_dir} -f /usr/share/selinux/devel/Makefile"
timeout 120
user 'root'
action :nothing
notifies :run, "execute[Install SELinux module '#{selinux_module_filepath('pp')}']", :immediately
end
raise "Compilation must have failed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp'))
execute "Install SELinux module '#{selinux_module_filepath('pp')}'" do
command "semodule --install '#{selinux_module_filepath('pp')}'"
action :nothing
end
end
action :delete do
%w(fc if pp te).each do |type|
next unless ::File.exist?(selinux_module_filepath(type))
file selinux_module_filepath(type) do
action :delete
end
end
end
action :install do
raise "Module must be compiled before it can be installed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp'))
unless list_installed_modules.include? new_resource.module_name
converge_by "Install SELinux module #{selinux_module_filepath('pp')}" do
shell_out!("semodule --install '#{selinux_module_filepath('pp')}'")
end
end
end
action :remove do
if list_installed_modules.include? new_resource.module_name
converge_by "Remove SELinux module #{new_resource.module_name}" do
shell_out!("semodule --remove '#{new_resource.module_name}'")
end
end
end

46
cookbooks/selinux/resources/permissive.rb Normal file
View File

@@ -0,0 +1,46 @@
#
# Cookbook:: selinux
# Resource:: permissive
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :context, String,
name_property: true,
description: 'The SELinux context to permit'
action_class do
def current_permissives
shell_out!('semanage permissive -ln').stdout.split("\n")
end
end
# Create if doesn't exist, do not touch if permissive is already registered (even under different type)
action :add do
unless current_permissives.include? new_resource.context
converge_by "adding permissive context #{new_resource.context}" do
shell_out!("semanage permissive -a '#{new_resource.context}'")
end
end
end
# Delete if exists
action :delete do
if current_permissives.include? new_resource.context
converge_by "deleting permissive context #{new_resource.context}" do
shell_out!("semanage permissive -d '#{new_resource.context}'")
end
end
end

98
cookbooks/selinux/resources/port.rb Normal file
View File

@@ -0,0 +1,98 @@
#
# Cookbook:: selinux
# Resource:: port
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :port, [Integer, String],
name_property: true,
regex: /^\d+$/,
description: 'Port to modify'
property :protocol, String,
equal_to: %w(tcp udp),
required: %i(manage add modify),
description: 'Protocol to modify'
property :secontext, String,
required: %i(manage add modify),
description: 'SELinux context to assign to the port'
action_class do
include SELinux::Cookbook::StateHelpers
def current_port_context
# use awk to see if the given port is within a reported port range
shell_out!(
<<~CMD
seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
CMD
).stdout.split
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :addormodify do
Chef::Log.warn('The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.')
run_action(:manage)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
if selinux_disabled?
Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if current_port_context.empty?
converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Only modify port if it exists & doesn't have the correct context already
action :modify do
if selinux_disabled?
Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Delete if exists
action :delete do
if selinux_disabled?
Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
return
end
unless current_port_context.empty?
converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
end
end
end

114
cookbooks/selinux/resources/state.rb Normal file
View File

@@ -0,0 +1,114 @@
#
# Cookbook:: selinux
# Resource:: state
#
# Copyright:: 2016-2021, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
include SELinux::Cookbook::StateHelpers
default_action :nothing
property :config_file, String,
default: '/etc/selinux/config'
property :persistent, [true, false],
default: true,
description: 'Persist status update to the selinux configuration file'
property :policy, String,
default: lazy { default_policy_platform },
equal_to: %w(default minimum mls src strict targeted),
description: 'SELinux policy type'
property :automatic_reboot, [true, false, Symbol],
default: false,
description: 'Perform an automatic node reboot if required for state change'
deprecated_property_alias 'temporary', 'persistent', 'The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name.'
action_class do
include SELinux::Cookbook::StateHelpers
def render_selinux_template(action)
Chef::Log.warn(
'It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.'
) if selinux_disabled? && action == :enforcing
unless new_resource.automatic_reboot
Chef::Log.warn('Changes from disabled require a reboot.') if selinux_disabled? && %i(enforcing permissive).include?(action)
Chef::Log.warn('Disabling selinux requires a reboot.') if (selinux_enforcing? || selinux_permissive?) && action == :disabled
end
template "#{action} selinux config" do
path new_resource.config_file
source 'selinux.erb'
cookbook 'selinux'
variables(
selinux: action.to_s,
selinuxtype: new_resource.policy
)
end
end
def node_selinux_restart
unless new_resource.automatic_reboot
Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.")
return
end
outer_action = action
reboot 'selinux_state_change' do
delay_mins 1
reason "SELinux state change to #{outer_action} from #{selinux_state}"
action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now
end
end
end
action :enforcing do
execute 'selinux-setenforce-enforcing' do
command '/usr/sbin/setenforce 1'
end unless selinux_disabled? || selinux_enforcing?
execute 'debian-selinux-activate' do
command '/usr/sbin/selinux-activate'
end if selinux_activate_required?
render_selinux_template(action) if new_resource.persistent
node_selinux_restart if state_change_reboot_required?
end
action :permissive do
execute 'selinux-setenforce-permissive' do
command '/usr/sbin/setenforce 0'
end unless selinux_disabled? || selinux_permissive?
execute 'debian-selinux-activate' do
command '/usr/sbin/selinux-activate'
end if selinux_activate_required?
render_selinux_template(action) if new_resource.persistent
node_selinux_restart if state_change_reboot_required?
end
action :disabled do
raise 'A non-persistent change to the disabled SELinux status is not possible.' unless new_resource.persistent
render_selinux_template(action)
node_selinux_restart if state_change_reboot_required?
end