Use older Redis cookbook, install on bitcoin-2
This commit is contained in:
parent
18f65c4fc5
commit
4b9183d78d
|
@ -8,7 +8,7 @@ cookbook 'mediawiki',
|
|||
cookbook 'redis',
|
||||
git: 'https://github.com/phlipper/chef-redis.git',
|
||||
ref: 'v0.5.6'
|
||||
cookbook 'redisio', '~> 6.1.0'
|
||||
cookbook 'redisio', '= 5.0.0' # TODO upgrade to 6.x when we use Chef 16
|
||||
cookbook 'postfix', '= 5.0.2'
|
||||
cookbook 'php', '~> 8.0.0'
|
||||
cookbook 'composer', '~> 2.7.0'
|
||||
|
|
|
@ -48,7 +48,7 @@ DEPENDENCIES
|
|||
git: https://github.com/phlipper/chef-redis.git
|
||||
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
|
||||
ref: v0.5.6
|
||||
redisio (~> 6.1.0)
|
||||
redisio (= 5.0.0)
|
||||
timezone_iii (= 1.0.4)
|
||||
ulimit (~> 1.0.0)
|
||||
users (~> 5.3.1)
|
||||
|
@ -151,9 +151,10 @@ GRAPH
|
|||
postfix (5.0.2)
|
||||
redis (0.5.6)
|
||||
apt (>= 0.0.0)
|
||||
redisio (6.1.0)
|
||||
selinux (>= 0.0.0)
|
||||
selinux (6.0.1)
|
||||
redisio (5.0.0)
|
||||
selinux_policy (>= 2.2.0)
|
||||
ulimit (>= 0.1.2)
|
||||
selinux_policy (2.4.3)
|
||||
seven_zip (3.1.1)
|
||||
windows (>= 0.0.0)
|
||||
timezone_iii (1.0.4)
|
||||
|
|
|
@ -1,26 +1,9 @@
|
|||
|
||||
# redisio
|
||||
|
||||
This file is used to list changes made in each version of the redisio cookbook.
|
||||
|
||||
## 6.1.0 - *2021-09-15*
|
||||
|
||||
- Add protected mode to sentinel configuration file
|
||||
|
||||
## 6.0.0 - *2021-09-09*
|
||||
|
||||
- Set unified_mode true for Chef 17+ support
|
||||
- Require Chef 15.3+ for unified_mode
|
||||
- Require Chef 16 for user_ulimit resource
|
||||
- Remove dependency on the ulimit cookbook
|
||||
- Switch from using the selinux_policy cookbook to the selinux cookbook
|
||||
- The selinux_policy cookbook is now deprecated. The resources have been moved
|
||||
to the selinux cookbook
|
||||
|
||||
## 5.0.0 - *2021-09-08*
|
||||
|
||||
- resolved cookstyle error: attributes/default.rb:74:40 refactor: `Chef/Modernize/UseChefLanguageSystemdHelper`
|
||||
|
||||
## 4.3.2 - *2021-08-30*
|
||||
|
||||
- Standardise files with files in sous-chefs/repo-management
|
||||
|
|
|
@ -413,8 +413,7 @@ The sentinel recipe's use their own attribute file.
|
|||
'logfile' => nil,
|
||||
'syslogenabled' => 'yes',
|
||||
'syslogfacility' => 'local0',
|
||||
'quorum_count' => 2,
|
||||
'protected-mode' => nil,
|
||||
'quorum_count' => 2
|
||||
```
|
||||
|
||||
* `redisio['redisio']['sentinel']['manage_config']` - Should the cookbook manage the redis and redis sentinel config files. This is best set to false when using redis_sentinel as it will write state into both configuration files.
|
||||
|
|
|
@ -162,10 +162,3 @@ default['redisio']['bin_path'] = if node['redisio']['package_install']
|
|||
else
|
||||
'/usr/local/bin'
|
||||
end
|
||||
|
||||
# Ulimit
|
||||
default['ulimit']['pam_su_template_cookbook'] = nil
|
||||
default['ulimit']['users'] = Mash.new
|
||||
default['ulimit']['security_limits_directory'] = '/etc/security/limits.d'
|
||||
default['ulimit']['ulimit_overriding_sudo_file_name'] = 'sudo'
|
||||
default['ulimit']['ulimit_overriding_sudo_file_cookbook'] = nil
|
||||
|
|
|
@ -26,7 +26,6 @@ default['redisio']['sentinel_defaults'] = {
|
|||
'announce-port' => nil,
|
||||
'notification-script' => nil,
|
||||
'client-reconfig-script' => nil,
|
||||
'protected_mode' => nil,
|
||||
}
|
||||
|
||||
# Manage Sentinel Config File
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
#%PAM-1.0
|
||||
|
||||
auth required pam_env.so readenv=1 user_readenv=0
|
||||
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
|
||||
session required pam_limits.so
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session-noninteractive
|
|
@ -16,7 +16,8 @@
|
|||
"ubuntu": ">= 0.0.0"
|
||||
},
|
||||
"dependencies": {
|
||||
"selinux": ">= 0.0.0"
|
||||
"ulimit": ">= 0.1.2",
|
||||
"selinux_policy": ">= 2.2.0"
|
||||
},
|
||||
"providing": {
|
||||
|
||||
|
@ -24,13 +25,13 @@
|
|||
"recipes": {
|
||||
|
||||
},
|
||||
"version": "6.1.0",
|
||||
"version": "5.0.0",
|
||||
"source_url": "https://github.com/sous-chefs/redisio",
|
||||
"issues_url": "https://github.com/sous-chefs/redisio/issues",
|
||||
"privacy": false,
|
||||
"chef_versions": [
|
||||
[
|
||||
">= 16"
|
||||
">= 15.5"
|
||||
]
|
||||
],
|
||||
"ohai_versions": [
|
||||
|
|
|
@ -3,10 +3,10 @@ maintainer 'Sous Chefs'
|
|||
maintainer_email 'help@sous-chefs.org'
|
||||
license 'Apache-2.0'
|
||||
description 'Installs and configures redis'
|
||||
version '6.1.0'
|
||||
version '5.0.0'
|
||||
source_url 'https://github.com/sous-chefs/redisio'
|
||||
issues_url 'https://github.com/sous-chefs/redisio/issues'
|
||||
chef_version '>= 16'
|
||||
chef_version '>= 15.5'
|
||||
|
||||
%w(
|
||||
amazon
|
||||
|
@ -21,4 +21,5 @@ chef_version '>= 16'
|
|||
supports os
|
||||
end
|
||||
|
||||
depends 'selinux'
|
||||
depends 'ulimit', '>= 0.1.2'
|
||||
depends 'selinux_policy', '>= 2.2.0'
|
||||
|
|
|
@ -151,8 +151,7 @@ def configure
|
|||
announce_ip: current['announce-ip'],
|
||||
announce_port: current['announce-port'],
|
||||
notification_script: current['notification-script'],
|
||||
client_reconfig_script: current['client-reconfig-script'],
|
||||
protected_mode: current['protected_mode']
|
||||
client_reconfig_script: current['client-reconfig-script']
|
||||
)
|
||||
not_if { ::File.exist?("#{current['configdir']}/#{sentinel_name}.conf.breadcrumb") }
|
||||
end
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
include_recipe 'redisio::default'
|
||||
include_recipe 'redisio::ulimit'
|
||||
include_recipe 'ulimit::default'
|
||||
|
||||
redis = node['redisio']
|
||||
|
||||
|
|
|
@ -1,4 +1,14 @@
|
|||
apt_update
|
||||
# debian 6.0.x fails the build_essential recipe without an apt-get update prior to run
|
||||
if platform?('debian', 'ubuntu')
|
||||
execute 'apt-get-update-periodic' do
|
||||
command 'apt-get update'
|
||||
ignore_failure true
|
||||
only_if do
|
||||
!File.exist?('/var/lib/apt/periodic/update-success-stamp') ||
|
||||
File.mtime('/var/lib/apt/periodic/update-success-stamp') < Time.now - 86400
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
unless node['redisio']['package_install']
|
||||
include_recipe 'redisio::_install_prereqs'
|
||||
|
|
|
@ -19,4 +19,4 @@ else
|
|||
end
|
||||
end
|
||||
|
||||
include_recipe 'redisio::ulimit'
|
||||
include_recipe 'ulimit::default'
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
include_recipe 'redisio::_install_prereqs'
|
||||
include_recipe 'redisio::install'
|
||||
include_recipe 'redisio::ulimit'
|
||||
include_recipe 'ulimit::default'
|
||||
|
||||
redis = node['redisio']
|
||||
|
||||
|
|
|
@ -1,25 +0,0 @@
|
|||
# Pulled from the now replaced ulimit cookbook
|
||||
# TODO: find a more tidy way to do this
|
||||
ulimit = node['ulimit']
|
||||
|
||||
if platform_family?('debian')
|
||||
template '/etc/pam.d/su' do
|
||||
cookbook ulimit['pam_su_template_cookbook']
|
||||
end
|
||||
|
||||
cookbook_file '/etc/pam.d/sudo' do
|
||||
cookbook node['ulimit']['ulimit_overriding_sudo_file_cookbook']
|
||||
source node['ulimit']['ulimit_overriding_sudo_file_name']
|
||||
mode '0644'
|
||||
end
|
||||
end
|
||||
|
||||
if ulimit.key?('users')
|
||||
ulimit['users'].each do |user, attributes|
|
||||
user_ulimit user do
|
||||
attributes.each do |a, v|
|
||||
send(a.to_sym, v)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,5 +1,5 @@
|
|||
actions :run
|
||||
unified_mode true
|
||||
|
||||
default_action :run
|
||||
|
||||
# Configuration attributes
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
actions :run
|
||||
unified_mode true
|
||||
|
||||
default_action :run
|
||||
|
||||
# Installation attributes
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
actions :run
|
||||
unified_mode true
|
||||
|
||||
default_action :run
|
||||
|
||||
# Configuration attributes
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
<%
|
||||
node.run_state[:ulimit][@domain].each do |item, entries|
|
||||
entries.each do |type, value|
|
||||
-%>
|
||||
<%= @domain %> <%= type %> <%= item %> <%= value %>
|
||||
<%
|
||||
end
|
||||
end
|
||||
-%>
|
|
@ -11,14 +11,10 @@ syslog-ident redis-<%= @name %>
|
|||
syslog-facility <%= @syslogfacility %>
|
||||
<%= "logfile #{@logfile}" unless @logfile.nil? %>
|
||||
|
||||
# bind sentinel IP
|
||||
<% if @sentinel_bind %>
|
||||
bind <%=@sentinel_bind%>
|
||||
<% end %>
|
||||
|
||||
<% if @protected_mode %>
|
||||
<%= "protected-mode #{@protected_mode}" %>
|
||||
<% end %>
|
||||
|
||||
# port <sentinel-port>
|
||||
# The port that this sentinel instance will run on
|
||||
port <%=@sentinel_port%>
|
||||
|
|
|
@ -1,62 +0,0 @@
|
|||
#
|
||||
# The PAM configuration file for the Shadow `su' service
|
||||
#
|
||||
# This file modified by Chef to enable ulimit switching with `su`
|
||||
#
|
||||
|
||||
# This allows root to su without passwords (normal operation)
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# Uncomment this to force users to be a member of group root
|
||||
# before they can use `su'. You can also add "group=foo"
|
||||
# to the end of this line if you want to use a group other
|
||||
# than the default "root" (but this may have side effect of
|
||||
# denying "root" user, unless she's a member of "foo" or explicitly
|
||||
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
||||
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
||||
# auth required pam_wheel.so
|
||||
|
||||
# Uncomment this if you want wheel members to be able to
|
||||
# su without a password.
|
||||
# auth sufficient pam_wheel.so trust
|
||||
|
||||
# Uncomment this if you want members of a specific group to not
|
||||
# be allowed to use su at all.
|
||||
# auth required pam_wheel.so deny group=nosu
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restrainst on su usage.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
#
|
||||
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
||||
session optional pam_mail.so nopen
|
||||
|
||||
# Sets up user limits, please uncomment and read /etc/security/limits.conf
|
||||
# to enable this functionality.
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
session required pam_limits.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
|
@ -1,32 +0,0 @@
|
|||
# Limits settings for <%= @ulimit_user %>
|
||||
<% unless @filehandle_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - nofile <%= @filehandle_limit %>
|
||||
<% else -%><% unless @filehandle_soft_limit.nil? -%><%= @ulimit_user -%> soft nofile <%= @filehandle_soft_limit %><% end -%>
|
||||
<% unless @filehandle_hard_limit.nil? -%><%= @ulimit_user -%> hard nofile <%= @filehandle_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
<% unless @process_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - nproc <%= @process_limit %>
|
||||
<% else -%><% unless @process_soft_limit.nil? -%><%= @ulimit_user -%> soft nproc <%= @process_soft_limit %><% end -%>
|
||||
<% unless @process_hard_limit.nil? -%><%= @ulimit_user -%> hard nproc <%= @process_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
<% unless @memory_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - memlock <%= @memory_limit %>
|
||||
<% end -%>
|
||||
<% unless @core_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - core <%= @core_limit %>
|
||||
<% else -%><% unless @core_soft_limit.nil? -%><%= @ulimit_user -%> soft core <%= @core_soft_limit %><% end -%>
|
||||
<% unless @core_hard_limit.nil? -%><%= @ulimit_user -%> hard core <%= @core_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
<% unless @stack_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - stack <%= @stack_limit %>
|
||||
<% else -%><% unless @stack_soft_limit.nil? -%><%= @ulimit_user -%> soft stack <%= @stack_soft_limit %><% end -%>
|
||||
<% unless @stack_hard_limit.nil? -%><%= @ulimit_user -%> hard stack <%= @stack_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
<% unless @rtprio_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - rtprio <%= @rtprio_limit %>
|
||||
<% else -%><% unless @rtprio_soft_limit.nil? -%><%= @ulimit_user -%> soft rtprio <%= @rtprio_soft_limit %><% end -%>
|
||||
<% unless @rtprio_hard_limit.nil? -%><%= @ulimit_user -%> hard rtprio <%= @rtprio_hard_limit %><% end -%>
|
||||
<% end -%>
|
||||
<% unless @virt_limit.nil? -%>
|
||||
<%= @ulimit_user -%> - as <%= @virt_limit %>
|
||||
<% end -%>
|
|
@ -1,184 +0,0 @@
|
|||
# selinux Cookbook CHANGELOG
|
||||
|
||||
This file is used to list changes made in each version of the selinux cookbook.
|
||||
|
||||
## 6.0.1 - *2021-11-03*
|
||||
|
||||
- Correctly parse ports with multple contexts
|
||||
|
||||
## 6.0.0 - *2021-09-02*
|
||||
|
||||
- Import `selinux_policy` resources into this cookbook (`_fcontext`, `_permissive`, and `_port`)
|
||||
- `selinux_policy_module` not imported since it is a duplicate of `selinux_module`
|
||||
|
||||
### Deprecations
|
||||
|
||||
- `selinux_fcontext` action `addormodify` renamed to `manage`
|
||||
- `selinux_port` action `addormodify` renamed to `manage`
|
||||
|
||||
## 5.1.1 - *2021-08-30*
|
||||
|
||||
- Standardise files with files in sous-chefs/repo-management
|
||||
|
||||
## 5.1.0 - *2021-08-21*
|
||||
|
||||
- Fix `selinux_install` on Alma Linux / Oracle Linux
|
||||
|
||||
## 5.0.0 - *2021-08-10*
|
||||
|
||||
### Note: With version 5.0.0 the default recipe has been removed
|
||||
|
||||
- Major refactoring
|
||||
- Restore support for Debian based distros
|
||||
- All resources now use unified_mode
|
||||
- Added selinux_boolean resource
|
||||
- Remove attributes and default recipe
|
||||
- Replaced with a set of bare recipes for the three selinux states
|
||||
- Add automatic restart function to `selinux_state` resource
|
||||
|
||||
## 4.0.0 - *2021-07-21*
|
||||
|
||||
- Sous Chefs adoption
|
||||
- Enable `unified_mode` for Chef 17 compatibility
|
||||
- Update test platforms
|
||||
|
||||
## 3.1.1 (2020-09-29)
|
||||
|
||||
- Move `default['selinux']['status']` attribute to `default['selinux']['state']` to avoid conflicts with Ohai in Chef Infra Client 16 - [@shoekstra](https://github.com/shoekstra)
|
||||
|
||||
## 3.1.0 (2020-09-29)
|
||||
|
||||
- Cookstyle Bot Auto Corrections with Cookstyle 6.16.8 - [@cookstyle](https://github.com/cookstyle)
|
||||
- Add a new `node['selinux']['install_mcstrans_package']` attribute to control installation of the mcdtrans package. This default to true to maintain existing functionality. - [@kapilchouhan99](https://github.com/kapilchouhan99)
|
||||
|
||||
## 3.0.2 (2020-08-25)
|
||||
|
||||
- Fix failures in CI- [@shoekstra](https://github.com/shoekstra)
|
||||
- Specify platform to SoloRunner - [@shoekstra](https://github.com/shoekstra)
|
||||
- Remove unnecessary Foodcritic comments - [@tas50](https://github.com/tas50)
|
||||
- Notify :immediately not :immediate - [@tas50](https://github.com/tas50)
|
||||
- Add Github actions testing of style/unit - [@tas50](https://github.com/tas50)
|
||||
- [GH-67] - Do not try to modify frozen checksum - [@vzDevelopment](https://github.com/vzDevelopment)
|
||||
- Standardise files with files in chef-cookbooks/repo-management - [@xorimabot](https://github.com/xorimabot)
|
||||
|
||||
## 3.0.1 (2019-11-14)
|
||||
|
||||
- Remove the deprecated ChefSpec report - [@tas50](https://github.com/tas50)
|
||||
- Allow "-" and "_" for module names - [@ramereth](https://github.com/ramereth)
|
||||
- Update Fedora versions we test on - [@tas50](https://github.com/tas50)
|
||||
|
||||
## 3.0.0 (2019-06-06)
|
||||
|
||||
- Support for SELinux Modules, via new resource `selinux_module`, able to compile `.te` files, install and remove modules;
|
||||
- Improving test coverage for all resources
|
||||
- Remove support for Ubuntu/Debian
|
||||
- Require Chef 13+
|
||||
|
||||
## 2.1.1 (2018-06-07)
|
||||
|
||||
- Do not execute setenforce 1 always
|
||||
- Remove chefspec matchers that are autogenerated now
|
||||
- Chef 13 Fixes
|
||||
|
||||
## 2.1.0 (2017-09-15)
|
||||
|
||||
- Simplify Travis config and fix ChefDK 2.0 failures
|
||||
- Use bento slugs in Kitchen
|
||||
- Remove maintainer files
|
||||
- More cleanup of the maintainer files
|
||||
- Speed up install with multi-package install
|
||||
|
||||
## 2.0.3 (2017-06-13)
|
||||
|
||||
- Fix boolean check within default recipe
|
||||
|
||||
## 2.0.2 (2017-06-05)
|
||||
|
||||
- Permissive guard should grep for permissive not just disabled
|
||||
|
||||
## 2.0.1 (2017-05-30)
|
||||
|
||||
- Remove class_eval usage
|
||||
|
||||
## 2.0.0 (2017-05-15)
|
||||
|
||||
- Deprecate debian family support
|
||||
- Make default for rhel family use setenforce regardless of whether a temporary change or not. Eliminates the requirement for a required reboot to effect change in the running system.
|
||||
|
||||
## 1.0.4 (2017-04-17)
|
||||
|
||||
- Switch to local delivery for testing
|
||||
- Use the standard apache license string
|
||||
- Updates for early Chef 12 and Chef 13 compatibility
|
||||
- Update and add copyright blocks to the various files
|
||||
|
||||
## 1.0.3 (2017-03-14)
|
||||
|
||||
- Fix requirement in metadata to reflect need for Chef 12.7 as using action_class in state resource.
|
||||
|
||||
## 1.0.2 (2017-03-01)
|
||||
|
||||
- Remove setools* packages from install resource (utility to analyze and query policies, monitor and report audit logs, and manage file context). Future versions of this cookbook that might use this need to handle package install on Oracle Linux as not available in default repo.
|
||||
|
||||
## 1.0.1 (2017-02-26)
|
||||
|
||||
- Fix logic error in the permissive state change
|
||||
|
||||
## 1.0.0 (2017-02-26)
|
||||
|
||||
- **BREAKING CHANGE** `node['selinux']['state']` is now `node['selinux']['status']` to meet Chef 13 requirements.
|
||||
- Update to current cookbook engineering standards
|
||||
- Rewrite LWRP to 12.5 resources
|
||||
- Resolved cookstyle errors
|
||||
- Update package information for debian based on <https://debian-handbook.info/browse/stable/sect.selinux.html>
|
||||
|
||||
- selinux-activate looks like it's required to ACTUALLY activate selinux on non-RHEL systems. This seems like it could be destructive if unexpected.
|
||||
|
||||
- Add property temporary to allow for switching between permissive and enabled
|
||||
|
||||
- Add install resource
|
||||
|
||||
## v0.9.0 (2015-02-22)
|
||||
|
||||
- Initial Debian / Ubuntu support
|
||||
- Various bug fixes
|
||||
|
||||
## v0.8.0 (2014-04-23)
|
||||
|
||||
- [COOK-4528] - Fix selinux directory permissions
|
||||
- [COOK-4562] - Basic support for Ubuntu/Debian
|
||||
|
||||
## v0.7.2 (2014-03-24)
|
||||
|
||||
handling minimal installs
|
||||
|
||||
## v0.7.0 (2014-02-27)
|
||||
|
||||
[COOK-4218] Support setting SELinux boolean values
|
||||
|
||||
## v0.6.2
|
||||
|
||||
- Fixing bug introduced in 0.6.0
|
||||
- adding basic test-kitchen coverage
|
||||
|
||||
## v0.6.0
|
||||
|
||||
- [COOK-760] - selinux enforce/permit/disable based on attribute
|
||||
|
||||
## v0.5.6
|
||||
|
||||
- [COOK-2124] - enforcing recipe fails if selinux is disabled
|
||||
|
||||
## v0.5.4
|
||||
|
||||
- [COOK-1277] - disabled recipe fails on systems w/o selinux installed
|
||||
|
||||
## v0.5.2
|
||||
|
||||
- [COOK-789] - fix dangling commas causing syntax error on some rubies
|
||||
|
||||
## v0.5.0
|
||||
|
||||
- [COOK-678] - add the selinux cookbook to the repository
|
||||
- Use main selinux config file (/etc/selinux/config)
|
||||
- Use getenforce instead of selinuxenabled for enforcing and permissive
|
|
@ -1,201 +0,0 @@
|
|||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work.
|
||||
|
||||
To apply the Apache License to your work, attach the following
|
||||
boilerplate notice, with the fields enclosed by brackets "{}"
|
||||
replaced with your own identifying information. (Don't include
|
||||
the brackets!) The text should be enclosed in the appropriate
|
||||
comment syntax for the file format. We also recommend that a
|
||||
file or class name and description of purpose be included on the
|
||||
same "printed page" as the copyright notice for easier
|
||||
identification within third-party archives.
|
||||
|
||||
Copyright {yyyy} {name of copyright owner}
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
|
@ -1,81 +0,0 @@
|
|||
# SELinux Cookbook
|
||||
|
||||
[![Cookbook Version](https://img.shields.io/cookbook/v/selnux.svg)](https://supermarket.chef.io/cookbooks/selinux)
|
||||
[![CI State](https://github.com/sous-chefs/selinux/workflows/ci/badge.svg)](https://github.com/sous-chefs/selinux/actions?query=workflow%3Aci)
|
||||
[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
|
||||
[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
|
||||
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
|
||||
|
||||
## Description
|
||||
|
||||
The SELinux (Security Enhanced Linux) cookbook provides recipes for manipulating SELinux policy enforcement state.
|
||||
|
||||
SELinux can have one of three settings:
|
||||
|
||||
`Enforcing`
|
||||
|
||||
- Watches all system access checks, stops all 'Denied access'
|
||||
- Default mode on RHEL systems
|
||||
|
||||
`Permissive`
|
||||
|
||||
- Allows access but reports violations
|
||||
|
||||
`Disabled`
|
||||
|
||||
- Disables SELinux from the system but is only read at boot time. If you set this flag, you must reboot.
|
||||
|
||||
Disable SELinux only if you plan to not use it. Use `Permissive` mode if you just need to debug your system.
|
||||
|
||||
## Requirements
|
||||
|
||||
- Chef 15.3 or higher
|
||||
|
||||
## Platform
|
||||
|
||||
- RHEL 7+
|
||||
- CentOS 7+
|
||||
- Fedora
|
||||
- Ubuntu
|
||||
- Debian
|
||||
|
||||
## Resources
|
||||
|
||||
The following resources are provided:
|
||||
|
||||
- [selinux_boolean](documentation/selinux_boolean.md)
|
||||
- [selinux_fcontext](documentation/selinux_fcontext.md)
|
||||
- [selinux_install](documentation/selinux_install.md)
|
||||
- [selinux_module](documentation/selinux_module.md)
|
||||
- [selinux_permissive](documentation/selinux_permissive.md)
|
||||
- [selinux_port](documentation/selinux_port.md)
|
||||
- [selinux_state](documentation/selinux_state.md)
|
||||
|
||||
## Maintainers
|
||||
|
||||
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
|
||||
|
||||
## Contributors
|
||||
|
||||
This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
|
||||
|
||||
### Backers
|
||||
|
||||
Thank you to all our backers!
|
||||
|
||||
![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
|
||||
|
||||
### Sponsors
|
||||
|
||||
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
|
||||
|
||||
![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
|
||||
![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)
|
|
@ -1,115 +0,0 @@
|
|||
# Put files/directories that should be ignored in this file when uploading
|
||||
# to a Chef Infra Server or Supermarket.
|
||||
# Lines that start with '# ' are comments.
|
||||
|
||||
# OS generated files #
|
||||
######################
|
||||
.DS_Store
|
||||
ehthumbs.db
|
||||
Icon?
|
||||
nohup.out
|
||||
Thumbs.db
|
||||
.envrc
|
||||
|
||||
# EDITORS #
|
||||
###########
|
||||
.#*
|
||||
.project
|
||||
.settings
|
||||
*_flymake
|
||||
*_flymake.*
|
||||
*.bak
|
||||
*.sw[a-z]
|
||||
*.tmproj
|
||||
*~
|
||||
\#*
|
||||
REVISION
|
||||
TAGS*
|
||||
tmtags
|
||||
.vscode
|
||||
.editorconfig
|
||||
|
||||
## COMPILED ##
|
||||
##############
|
||||
*.class
|
||||
*.com
|
||||
*.dll
|
||||
*.exe
|
||||
*.o
|
||||
*.pyc
|
||||
*.so
|
||||
*/rdoc/
|
||||
a.out
|
||||
mkmf.log
|
||||
|
||||
# Testing #
|
||||
###########
|
||||
.circleci/*
|
||||
.codeclimate.yml
|
||||
.delivery/*
|
||||
.foodcritic
|
||||
.kitchen*
|
||||
.mdlrc
|
||||
.overcommit.yml
|
||||
.rspec
|
||||
.rubocop.yml
|
||||
.travis.yml
|
||||
.watchr
|
||||
.yamllint
|
||||
azure-pipelines.yml
|
||||
Dangerfile
|
||||
examples/*
|
||||
features/*
|
||||
Guardfile
|
||||
kitchen.yml*
|
||||
mlc_config.json
|
||||
Procfile
|
||||
Rakefile
|
||||
spec/*
|
||||
test/*
|
||||
|
||||
# SCM #
|
||||
#######
|
||||
.git
|
||||
.gitattributes
|
||||
.gitconfig
|
||||
.github/*
|
||||
.gitignore
|
||||
.gitkeep
|
||||
.gitmodules
|
||||
.svn
|
||||
*/.bzr/*
|
||||
*/.git
|
||||
*/.hg/*
|
||||
*/.svn/*
|
||||
|
||||
# Berkshelf #
|
||||
#############
|
||||
Berksfile
|
||||
Berksfile.lock
|
||||
cookbooks/*
|
||||
tmp
|
||||
|
||||
# Bundler #
|
||||
###########
|
||||
vendor/*
|
||||
Gemfile
|
||||
Gemfile.lock
|
||||
|
||||
# Policyfile #
|
||||
##############
|
||||
Policyfile.rb
|
||||
Policyfile.lock.json
|
||||
|
||||
# Documentation #
|
||||
#############
|
||||
CODE_OF_CONDUCT*
|
||||
CONTRIBUTING*
|
||||
documentation/*
|
||||
TESTING*
|
||||
UPGRADING*
|
||||
|
||||
# Vagrant #
|
||||
###########
|
||||
.vagrant
|
||||
Vagrantfile
|
|
@ -1,17 +0,0 @@
|
|||
module SELinux
|
||||
module Cookbook
|
||||
module BooleanHelpers
|
||||
def selinux_bool(bool)
|
||||
if ['on', 'true', '1', true, 1].include?(bool)
|
||||
'on'
|
||||
elsif ['off', 'false', '0', false, 0].include?(bool)
|
||||
'off'
|
||||
else
|
||||
raise ArgumentError, "selinux_bool: Invalid selinux boolean value #{bool}"
|
||||
end
|
||||
end
|
||||
|
||||
module_function :selinux_bool
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,22 +0,0 @@
|
|||
module SELinux
|
||||
module Cookbook
|
||||
module InstallHelpers
|
||||
def default_install_packages
|
||||
case node['platform_family']
|
||||
when 'rhel', 'fedora', 'amazon'
|
||||
%w(make policycoreutils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console)
|
||||
when 'debian'
|
||||
if node['platform'] == 'ubuntu'
|
||||
if node['platform_version'].to_f == 18.04
|
||||
%w(make policycoreutils selinux selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
|
||||
else
|
||||
%w(make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
|
||||
end
|
||||
else
|
||||
%w(make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,43 +0,0 @@
|
|||
module SELinux
|
||||
module Cookbook
|
||||
module StateHelpers
|
||||
def selinux_disabled?
|
||||
selinux_state.eql?(:disabled)
|
||||
end
|
||||
|
||||
def selinux_enforcing?
|
||||
selinux_state.eql?(:enforcing)
|
||||
end
|
||||
|
||||
def selinux_permissive?
|
||||
selinux_state.eql?(:permissive)
|
||||
end
|
||||
|
||||
def state_change_reboot_required?
|
||||
(selinux_disabled? && %i(enforcing permissive).include?(action)) || ((selinux_enforcing? || selinux_permissive?) && action == :disabled)
|
||||
end
|
||||
|
||||
def selinux_state
|
||||
state = shell_out!('getenforce').stdout.strip.downcase.to_sym
|
||||
raise "Got unknown SELinux state #{state}" unless %i(disabled enforcing permissive).include?(state)
|
||||
|
||||
state
|
||||
end
|
||||
|
||||
def selinux_activate_required?
|
||||
return false unless platform_family?('debian')
|
||||
|
||||
!File.read('/etc/default/grub').match?('security=selinux')
|
||||
end
|
||||
|
||||
def default_policy_platform
|
||||
case node['platform_family']
|
||||
when 'rhel', 'fedora', 'amazon'
|
||||
'targeted'
|
||||
when 'debian'
|
||||
'default'
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,43 +0,0 @@
|
|||
{
|
||||
"name": "selinux",
|
||||
"description": "Manages SELinux policy state and rules.",
|
||||
"long_description": "",
|
||||
"maintainer": "Sous Chefs",
|
||||
"maintainer_email": "help@sous-chefs.org",
|
||||
"license": "Apache-2.0",
|
||||
"platforms": {
|
||||
"redhat": ">= 0.0.0",
|
||||
"centos": ">= 0.0.0",
|
||||
"scientific": ">= 0.0.0",
|
||||
"oracle": ">= 0.0.0",
|
||||
"amazon": ">= 0.0.0",
|
||||
"fedora": ">= 0.0.0",
|
||||
"debian": ">= 0.0.0",
|
||||
"ubuntu": ">= 0.0.0"
|
||||
},
|
||||
"dependencies": {
|
||||
|
||||
},
|
||||
"providing": {
|
||||
|
||||
},
|
||||
"recipes": {
|
||||
|
||||
},
|
||||
"version": "6.0.1",
|
||||
"source_url": "https://github.com/sous-chefs/selinux",
|
||||
"issues_url": "https://github.com/sous-chefs/selinux/issues",
|
||||
"privacy": false,
|
||||
"chef_versions": [
|
||||
[
|
||||
">= 15.3"
|
||||
]
|
||||
],
|
||||
"ohai_versions": [
|
||||
|
||||
],
|
||||
"gems": [
|
||||
|
||||
],
|
||||
"eager_load_libraries": true
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
name 'selinux'
|
||||
maintainer 'Sous Chefs'
|
||||
maintainer_email 'help@sous-chefs.org'
|
||||
license 'Apache-2.0'
|
||||
description 'Manages SELinux policy state and rules.'
|
||||
version '6.0.1'
|
||||
source_url 'https://github.com/sous-chefs/selinux'
|
||||
issues_url 'https://github.com/sous-chefs/selinux/issues'
|
||||
chef_version '>= 15.3'
|
||||
|
||||
%w(redhat centos scientific oracle amazon fedora debian ubuntu).each do |os|
|
||||
supports os
|
||||
end
|
|
@ -1,23 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Recipe:: disabled
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
selinux_install 'selinux'
|
||||
|
||||
selinux_state 'disabled' do
|
||||
automatic_reboot true
|
||||
action :disabled
|
||||
end
|
|
@ -1,24 +0,0 @@
|
|||
|
||||
#
|
||||
# Cookbook:: selinux
|
||||
# Recipe:: enforcing
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
selinux_install 'selinux'
|
||||
|
||||
selinux_state 'enforcing' do
|
||||
automatic_reboot true
|
||||
action :enforcing
|
||||
end
|
|
@ -1,23 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Recipe:: permissive
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
selinux_install 'selinux'
|
||||
|
||||
selinux_state 'permissive' do
|
||||
automatic_reboot true
|
||||
action :permissive
|
||||
end
|
|
@ -1,56 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Resource:: boolean
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
unified_mode true
|
||||
|
||||
property :boolean, String,
|
||||
name_property: true,
|
||||
description: 'SELinux boolean to set'
|
||||
|
||||
property :value, [Integer, String, true, false],
|
||||
required: true,
|
||||
equal_to: %w(on off),
|
||||
coerce: proc { |p| SELinux::Cookbook::BooleanHelpers.selinux_bool(p) },
|
||||
description: 'SELinux boolean value'
|
||||
|
||||
property :persistent, [true, false],
|
||||
default: true,
|
||||
desired_state: false,
|
||||
description: 'Set to true for value setting to survive reboot'
|
||||
|
||||
load_current_value do |new_resource|
|
||||
value shell_out!("getsebool #{new_resource.boolean}").stdout.split('-->').map(&:strip).last
|
||||
end
|
||||
|
||||
action_class do
|
||||
include SELinux::Cookbook::StateHelpers
|
||||
end
|
||||
|
||||
action :set do
|
||||
if selinux_disabled?
|
||||
Chef::Log.warn("Unable to set SELinux boolean #{new_resource.name} as SELinux is disabled")
|
||||
return
|
||||
end
|
||||
|
||||
converge_if_changed do
|
||||
cmd = 'setsebool'
|
||||
cmd += ' -P' if new_resource.persistent
|
||||
cmd += " #{new_resource.boolean} #{new_resource.value}"
|
||||
|
||||
shell_out!(cmd)
|
||||
end
|
||||
end
|
|
@ -1,132 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Resource:: fcontext
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
unified_mode true
|
||||
|
||||
property :file_spec, String,
|
||||
name_property: true,
|
||||
description: 'Path to or regex matching the files or directoriesto label'
|
||||
|
||||
property :secontext, String,
|
||||
required: %i(add modify manage),
|
||||
description: 'SELinux context to assign'
|
||||
|
||||
property :file_type, String,
|
||||
default: 'a',
|
||||
equal_to: %w(a f d c b s l p),
|
||||
description: 'The type of the file being labeled'
|
||||
|
||||
action_class do
|
||||
include SELinux::Cookbook::StateHelpers
|
||||
|
||||
def current_file_context
|
||||
file_hash = {
|
||||
'a' => 'all files',
|
||||
'f' => 'regular file',
|
||||
'd' => 'directory',
|
||||
'c' => 'character device',
|
||||
'b' => 'block device',
|
||||
's' => 'socket',
|
||||
'l' => 'symbolic link',
|
||||
'p' => 'named pipe',
|
||||
}
|
||||
|
||||
contexts = shell_out!('semanage fcontext -l').stdout.split("\n")
|
||||
# pull out file label from user:role:type:level context string
|
||||
contexts.grep(/^#{Regexp.escape(new_resource.file_spec)}\s+#{file_hash[new_resource.file_type]}/) do |c|
|
||||
c.match(/.+ (?<user>.+):(?<role>.+):(?<type>.+):(?<level>.+)$/)[:type]
|
||||
# match returns ['foo'] or [], shift converts that to 'foo' or nil
|
||||
end.shift
|
||||
end
|
||||
|
||||
# Run restorecon to fix label
|
||||
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
|
||||
def relabel_files
|
||||
spec = new_resource.file_spec
|
||||
escaped = Regexp.escape spec
|
||||
|
||||
# find common path between regex and string
|
||||
common = if spec == escaped
|
||||
spec
|
||||
else
|
||||
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
|
||||
::File.dirname spec[0...index]
|
||||
end
|
||||
|
||||
# if path is not absolute, ignore it and search everything
|
||||
common = '/' if common[0] != '/'
|
||||
|
||||
if ::File.exist? common
|
||||
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 | xargs -0 restorecon -iRv")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
action :manage do
|
||||
run_action(:add)
|
||||
run_action(:modify)
|
||||
end
|
||||
|
||||
action :addormodify do
|
||||
Chef::Log.warn('The :addormodify action for selinux_fcontext is deprecated and will be removed in a future release. Use the :manage action instead.')
|
||||
run_action(:manage)
|
||||
end
|
||||
|
||||
# Create if doesn't exist, do not touch if fcontext is already registered
|
||||
action :add do
|
||||
if selinux_disabled?
|
||||
Chef::Log.warn("Unable to add SELinux fcontext #{new_resource.name} as SELinux is disabled")
|
||||
return
|
||||
end
|
||||
|
||||
unless current_file_context
|
||||
converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do
|
||||
shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
|
||||
relabel_files
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Only modify if fcontext exists & doesn't have the correct label already
|
||||
action :modify do
|
||||
if selinux_disabled?
|
||||
Chef::Log.warn("Unable to modify SELinux fcontext #{new_resource.name} as SELinux is disabled")
|
||||
return
|
||||
end
|
||||
|
||||
if current_file_context && current_file_context != new_resource.secontext
|
||||
converge_by "modifying label #{new_resource.secontext} to #{new_resource.file_spec}" do
|
||||
shell_out!("semanage fcontext -m -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
|
||||
relabel_files
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
if selinux_disabled?
|
||||
Chef::Log.warn("Unable to delete SELinux fcontext #{new_resource.name} as SELinux is disabled")
|
||||
return
|
||||
end
|
||||
|
||||
if current_file_context
|
||||
converge_by "deleting label for #{new_resource.file_spec}" do
|
||||
shell_out!("semanage fcontext -d -f #{new_resource.file_type} '#{new_resource.file_spec}'")
|
||||
relabel_files
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,54 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Resource:: install
|
||||
#
|
||||
# Copyright:: 2016-2021, Chef Software, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
unified_mode true
|
||||
|
||||
include SELinux::Cookbook::InstallHelpers
|
||||
|
||||
property :packages, [String, Array],
|
||||
default: lazy { default_install_packages },
|
||||
description: 'SELinux packages for system'
|
||||
|
||||
action_class do
|
||||
def do_package_action(action)
|
||||
# friendly message for unsupported platforms
|
||||
raise "The platform #{node['platform']} is not currently supported by the `selinux_install` resource. Please file an issue at https://github.com/sous-chefs/selinux/issues/new with details on the platform this cookbook is running on." if new_resource.packages.nil?
|
||||
|
||||
package 'selinux' do
|
||||
package_name new_resource.packages
|
||||
action action
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
action :install do
|
||||
do_package_action(action)
|
||||
|
||||
directory '/etc/selinux' do
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0755'
|
||||
action :create
|
||||
end
|
||||
end
|
||||
|
||||
%i(upgrade remove).each do |a|
|
||||
action a do
|
||||
do_package_action(a)
|
||||
end
|
||||
end
|
|
@ -1,125 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Resource:: module
|
||||
#
|
||||
# Copyright:: 2016-2021, Chef Software, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
unified_mode true
|
||||
|
||||
property :module_name, String,
|
||||
name_property: true,
|
||||
description: 'Override the module name'
|
||||
|
||||
property :source, String,
|
||||
description: 'Module source file name'
|
||||
|
||||
property :content, String,
|
||||
description: 'Module source as String'
|
||||
|
||||
property :cookbook, String,
|
||||
default: lazy { cookbook_name },
|
||||
description: 'Cookbook to source from module source file from'
|
||||
|
||||
property :base_dir, String,
|
||||
default: '/etc/selinux/local',
|
||||
description: 'Directory to create module source file in'
|
||||
|
||||
action_class do
|
||||
def selinux_module_filepath(type)
|
||||
path = ::File.join(new_resource.base_dir, "#{new_resource.module_name}")
|
||||
path.concat(".#{type}") if type
|
||||
end
|
||||
|
||||
def list_installed_modules
|
||||
shell_out!('semodule --list-modules').stdout.split("\n").map { |x| x.split(/\s/).first }
|
||||
end
|
||||
end
|
||||
|
||||
action :create do
|
||||
directory new_resource.base_dir
|
||||
|
||||
if property_is_set?(:content)
|
||||
file selinux_module_filepath('te') do
|
||||
content new_resource.content
|
||||
|
||||
mode '0600'
|
||||
owner 'root'
|
||||
group 'root'
|
||||
|
||||
action :create
|
||||
|
||||
notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
|
||||
end
|
||||
else
|
||||
cookbook_file selinux_module_filepath('te') do
|
||||
cookbook new_resource.cookbook
|
||||
source new_resource.source
|
||||
|
||||
mode '0600'
|
||||
owner 'root'
|
||||
group 'root'
|
||||
|
||||
action :create
|
||||
|
||||
notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
|
||||
end
|
||||
end
|
||||
|
||||
execute "Compiling SELinux modules at '#{new_resource.base_dir}'" do
|
||||
cwd new_resource.base_dir
|
||||
command "make -C #{new_resource.base_dir} -f /usr/share/selinux/devel/Makefile"
|
||||
timeout 120
|
||||
user 'root'
|
||||
|
||||
action :nothing
|
||||
|
||||
notifies :run, "execute[Install SELinux module '#{selinux_module_filepath('pp')}']", :immediately
|
||||
end
|
||||
|
||||
raise "Compilation must have failed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp'))
|
||||
|
||||
execute "Install SELinux module '#{selinux_module_filepath('pp')}'" do
|
||||
command "semodule --install '#{selinux_module_filepath('pp')}'"
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
|
||||
action :delete do
|
||||
%w(fc if pp te).each do |type|
|
||||
next unless ::File.exist?(selinux_module_filepath(type))
|
||||
|
||||
file selinux_module_filepath(type) do
|
||||
action :delete
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
action :install do
|
||||
raise "Module must be compiled before it can be installed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp'))
|
||||
|
||||
unless list_installed_modules.include? new_resource.module_name
|
||||
converge_by "Install SELinux module #{selinux_module_filepath('pp')}" do
|
||||
shell_out!("semodule --install '#{selinux_module_filepath('pp')}'")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
action :remove do
|
||||
if list_installed_modules.include? new_resource.module_name
|
||||
converge_by "Remove SELinux module #{new_resource.module_name}" do
|
||||
shell_out!("semodule --remove '#{new_resource.module_name}'")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,46 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Resource:: permissive
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
unified_mode true
|
||||
|
||||
property :context, String,
|
||||
name_property: true,
|
||||
description: 'The SELinux context to permit'
|
||||
|
||||
action_class do
|
||||
def current_permissives
|
||||
shell_out!('semanage permissive -ln').stdout.split("\n")
|
||||
end
|
||||
end
|
||||
|
||||
# Create if doesn't exist, do not touch if permissive is already registered (even under different type)
|
||||
action :add do
|
||||
unless current_permissives.include? new_resource.context
|
||||
converge_by "adding permissive context #{new_resource.context}" do
|
||||
shell_out!("semanage permissive -a '#{new_resource.context}'")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
if current_permissives.include? new_resource.context
|
||||
converge_by "deleting permissive context #{new_resource.context}" do
|
||||
shell_out!("semanage permissive -d '#{new_resource.context}'")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,98 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Resource:: port
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
unified_mode true
|
||||
|
||||
property :port, [Integer, String],
|
||||
name_property: true,
|
||||
regex: /^\d+$/,
|
||||
description: 'Port to modify'
|
||||
|
||||
property :protocol, String,
|
||||
equal_to: %w(tcp udp),
|
||||
required: %i(manage add modify),
|
||||
description: 'Protocol to modify'
|
||||
|
||||
property :secontext, String,
|
||||
required: %i(manage add modify),
|
||||
description: 'SELinux context to assign to the port'
|
||||
|
||||
action_class do
|
||||
include SELinux::Cookbook::StateHelpers
|
||||
|
||||
def current_port_context
|
||||
# use awk to see if the given port is within a reported port range
|
||||
shell_out!(
|
||||
<<~CMD
|
||||
seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
|
||||
awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
|
||||
CMD
|
||||
).stdout.split
|
||||
end
|
||||
end
|
||||
|
||||
action :manage do
|
||||
run_action(:add)
|
||||
run_action(:modify)
|
||||
end
|
||||
|
||||
action :addormodify do
|
||||
Chef::Log.warn('The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.')
|
||||
run_action(:manage)
|
||||
end
|
||||
|
||||
# Create if doesn't exist, do not touch if port is already registered (even under different type)
|
||||
action :add do
|
||||
if selinux_disabled?
|
||||
Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
|
||||
return
|
||||
end
|
||||
|
||||
if current_port_context.empty?
|
||||
converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
|
||||
shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Only modify port if it exists & doesn't have the correct context already
|
||||
action :modify do
|
||||
if selinux_disabled?
|
||||
Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
|
||||
return
|
||||
end
|
||||
|
||||
if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
|
||||
converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
|
||||
shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
if selinux_disabled?
|
||||
Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
|
||||
return
|
||||
end
|
||||
|
||||
unless current_port_context.empty?
|
||||
converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
|
||||
shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,114 +0,0 @@
|
|||
#
|
||||
# Cookbook:: selinux
|
||||
# Resource:: state
|
||||
#
|
||||
# Copyright:: 2016-2021, Chef Software, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
unified_mode true
|
||||
|
||||
include SELinux::Cookbook::StateHelpers
|
||||
|
||||
default_action :nothing
|
||||
|
||||
property :config_file, String,
|
||||
default: '/etc/selinux/config'
|
||||
|
||||
property :persistent, [true, false],
|
||||
default: true,
|
||||
description: 'Persist status update to the selinux configuration file'
|
||||
|
||||
property :policy, String,
|
||||
default: lazy { default_policy_platform },
|
||||
equal_to: %w(default minimum mls src strict targeted),
|
||||
description: 'SELinux policy type'
|
||||
|
||||
property :automatic_reboot, [true, false, Symbol],
|
||||
default: false,
|
||||
description: 'Perform an automatic node reboot if required for state change'
|
||||
|
||||
deprecated_property_alias 'temporary', 'persistent', 'The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name.'
|
||||
|
||||
action_class do
|
||||
include SELinux::Cookbook::StateHelpers
|
||||
|
||||
def render_selinux_template(action)
|
||||
Chef::Log.warn(
|
||||
'It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.'
|
||||
) if selinux_disabled? && action == :enforcing
|
||||
|
||||
unless new_resource.automatic_reboot
|
||||
Chef::Log.warn('Changes from disabled require a reboot.') if selinux_disabled? && %i(enforcing permissive).include?(action)
|
||||
Chef::Log.warn('Disabling selinux requires a reboot.') if (selinux_enforcing? || selinux_permissive?) && action == :disabled
|
||||
end
|
||||
|
||||
template "#{action} selinux config" do
|
||||
path new_resource.config_file
|
||||
source 'selinux.erb'
|
||||
cookbook 'selinux'
|
||||
variables(
|
||||
selinux: action.to_s,
|
||||
selinuxtype: new_resource.policy
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
def node_selinux_restart
|
||||
unless new_resource.automatic_reboot
|
||||
Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.")
|
||||
return
|
||||
end
|
||||
|
||||
outer_action = action
|
||||
reboot 'selinux_state_change' do
|
||||
delay_mins 1
|
||||
reason "SELinux state change to #{outer_action} from #{selinux_state}"
|
||||
|
||||
action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
action :enforcing do
|
||||
execute 'selinux-setenforce-enforcing' do
|
||||
command '/usr/sbin/setenforce 1'
|
||||
end unless selinux_disabled? || selinux_enforcing?
|
||||
|
||||
execute 'debian-selinux-activate' do
|
||||
command '/usr/sbin/selinux-activate'
|
||||
end if selinux_activate_required?
|
||||
|
||||
render_selinux_template(action) if new_resource.persistent
|
||||
node_selinux_restart if state_change_reboot_required?
|
||||
end
|
||||
|
||||
action :permissive do
|
||||
execute 'selinux-setenforce-permissive' do
|
||||
command '/usr/sbin/setenforce 0'
|
||||
end unless selinux_disabled? || selinux_permissive?
|
||||
|
||||
execute 'debian-selinux-activate' do
|
||||
command '/usr/sbin/selinux-activate'
|
||||
end if selinux_activate_required?
|
||||
|
||||
render_selinux_template(action) if new_resource.persistent
|
||||
node_selinux_restart if state_change_reboot_required?
|
||||
end
|
||||
|
||||
action :disabled do
|
||||
raise 'A non-persistent change to the disabled SELinux status is not possible.' unless new_resource.persistent
|
||||
|
||||
render_selinux_template(action)
|
||||
node_selinux_restart if state_change_reboot_required?
|
||||
end
|
|
@ -1,18 +0,0 @@
|
|||
# Generated by Chef for <%= node['fqdn'] %>
|
||||
# Do NOT modify this file by hand.
|
||||
#
|
||||
|
||||
# This file controls the state of SELinux on the system.
|
||||
# SELINUX= can take one of these three values:
|
||||
# enforcing - SELinux security policy is enforced.
|
||||
# permissive - SELinux prints warnings instead of enforcing.
|
||||
# disabled - No SELinux policy is loaded.
|
||||
SELINUX=<%= @selinux %>
|
||||
# SELINUXTYPE= can take one of these three values:
|
||||
# default - equivalent to the old strict and targeted policies
|
||||
# mls - Multi-Level Security (for military and educational use)
|
||||
# src - Custom policy built from source
|
||||
SELINUXTYPE=<%= @selinuxtype %>
|
||||
|
||||
# SETLOCALDEFS= Check local definition changes
|
||||
SETLOCALDEFS=0
|
|
@ -1,15 +0,0 @@
|
|||
# Generated by Chef for <%= node['fqdn'] %>
|
||||
# Do NOT modify this file by hand.
|
||||
#
|
||||
|
||||
# This file controls the state of SELinux on the system.
|
||||
# SELINUX= can take one of these three values:
|
||||
# enforcing - SELinux security policy is enforced.
|
||||
# permissive - SELinux prints warnings instead of enforcing.
|
||||
# disabled - No SELinux policy is loaded.
|
||||
SELINUX=<%= @selinux %>
|
||||
# SELINUXTYPE= can take one of these three values:
|
||||
# targeted - Targeted processes are protected,
|
||||
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||
# mls - Multi Level Security protection.
|
||||
SELINUXTYPE=<%= @selinuxtype %>
|
|
@ -0,0 +1,221 @@
|
|||
# selinux_policy CHANGELOG
|
||||
|
||||
This file is used to changes made in each version of the selinux_policy cookbook.
|
||||
|
||||
## 2.4.3 (2020-08-07)
|
||||
|
||||
- Ship the correct license file since this cookbook was relicensed - [@tas50](https://github.com/tas50)
|
||||
- Update testing configs - [@tas50](https://github.com/tas50)
|
||||
- Update the maintainer to be Chef Software - [@tas50](https://github.com/tas50)
|
||||
|
||||
## 2.4.2 (2020-08-07)
|
||||
|
||||
- Make sure the `setpersist` action runs by default not `set` to match the docs.
|
||||
|
||||
## 2.4.1 - 2020-05-14
|
||||
|
||||
- resolved cookstyle error: resources/module.rb:26:35 convention: `Layout/TrailingWhitespace`
|
||||
- resolved cookstyle error: resources/module.rb:26:36 refactor: `ChefModernize/FoodcriticComments`
|
||||
|
||||
## [2.4.0] - 2020-02-13
|
||||
|
||||
- Fix port_defined helper function for Centos 8 compatibility
|
||||
- Test fixes
|
||||
|
||||
## [2.3.6] - 2020-01-26
|
||||
|
||||
- Fix issue on use_selinux function
|
||||
- Migrate to github actions
|
||||
- Resolved ChefStyle/ImmediateNotificationTiming: Use :immediately instead of :immediate for resource notification timing notifies
|
||||
|
||||
## [2.3.5] - 2019-02-15
|
||||
|
||||
- Fix resource failure in permissive.rb Caused by [#96](https://github.com/sous-chefs/selinux_policy/pull/96)
|
||||
- Migrated testing to circleci
|
||||
|
||||
## [2.3.4] - 2019-02-07
|
||||
|
||||
- Fix `shell_out` to use an actual shell. Caused by [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
|
||||
|
||||
## [2.3.3] - 2019-02-06
|
||||
|
||||
- Perform relabel (restorecon) using xargs while still supporting regexes. Fixes [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
|
||||
|
||||
## [2.3.2] - 2018-11-29
|
||||
|
||||
- Cache which helper method calls
|
||||
|
||||
## [2.3.1] - 2018-11-29
|
||||
|
||||
- Use `chef/mixin/which` to locate selinux binaries. Fixes [#85](https://github.com/sous-chefs/selinux_policy/issues/85) & [#93](https://github.com/sous-chefs/selinux_policy/issues/93)
|
||||
|
||||
## [2.3.0] - 2018-11-27
|
||||
|
||||
- Further fixes for the earlier refactoring
|
||||
- Repair CI jobs
|
||||
|
||||
## [2.2.0] - 2018-11-21
|
||||
|
||||
- Large refactoring to helpers and resources
|
||||
- Add RHEL-8 packages
|
||||
|
||||
## [2.1.0] - 2018-04-12
|
||||
|
||||
- Port definition methods to check for already defined ports
|
||||
- Cleanup resource cloning
|
||||
- Deprecate support for Chef 12.x now it's EOL
|
||||
- Fix Foodcritic warnings & update test platforms
|
||||
|
||||
## 2.0.1 - 2017-04-21
|
||||
|
||||
- Perform relabel (restorecon) using find to support regexes
|
||||
|
||||
## 2.0.0 - 2017-02-23
|
||||
|
||||
- This cookbook has been moved to the Sous Chefs org. See sous-chefs.org for more information
|
||||
- Require Chef 12.1 or later
|
||||
- Use compat_resource instead of requiring yum
|
||||
- Don't install yum::dnf_yum_compat on Fedora since Chef has DNF support now
|
||||
- Don't define attributes in the metadata as these aren't used
|
||||
- Remove the Vagrantfile
|
||||
- Add chef_version requirements to the metadata
|
||||
- Test with ChefDK / Rake in Travis instead of gems
|
||||
- Resolve Foodcritic, Cookstyle, and Chefspec warnings
|
||||
|
||||
## 1.1.1
|
||||
|
||||
- [7307850] (Adam Ward) Silence fcontext guard output
|
||||
- [ad71437] (nitz) Restorecon is now done via shell_out
|
||||
- [fa30813] (James Le Cuirot) Change yum dependency to ~> 4.0
|
||||
- [cd9a8da] (nitz) Removed selinux enforcing from kitchen, unified runlists
|
||||
|
||||
## 1.1.0
|
||||
|
||||
- [daften] Added `file_type` for fcontext
|
||||
|
||||
## 1.0.1
|
||||
|
||||
- [backslasher] - Foodcritic and rubocop improvements
|
||||
|
||||
## 1.0.0
|
||||
|
||||
- [equick] - Validating ports better
|
||||
- [backslasher] - FContext relabling for flies is now immediate. (Possibly breaking)
|
||||
- [backslasher] - testing made slightly more elegant
|
||||
|
||||
## 0.9.6
|
||||
|
||||
- [jhmartin] - Updated README
|
||||
- [backslasher] - Major revision of testing
|
||||
|
||||
## 0.9.5
|
||||
|
||||
- [backslasher] - Modified yum dependency
|
||||
|
||||
## 0.9.4
|
||||
|
||||
- [mhorbul] - Fixed state detection in boolean resource
|
||||
|
||||
## 0.9.3
|
||||
|
||||
- [backlsasher] - Fixed testing & kitchen
|
||||
- [jbartko] - Added Fedora support
|
||||
|
||||
## 0.9.2
|
||||
|
||||
- [backslasher] - Ignoring nonexisting files in restorecon
|
||||
|
||||
## 0.9.1
|
||||
|
||||
- [backslasher] - Fixed issue with module being partially executed on machines with SELinux disabled
|
||||
|
||||
## 0.9.0
|
||||
|
||||
- [backslasher] - module overhaul: code refactoring, supporting new input, testing, new actions
|
||||
- [backslasher] - fcontext overhaul: code refactoring, testing, new action
|
||||
|
||||
**Note**: I don't think I have any breaking changes here. If there are, I apologise and request that you create an issue with a test recipe that fails on the problem (so I can reproduce)
|
||||
|
||||
## 0.8.1
|
||||
|
||||
- [backslasher] - Added Travis CI harness
|
||||
- [backslasher] - Fixed typo in README
|
||||
|
||||
## 0.8.0
|
||||
|
||||
- [backslasher] - Test overhaul. Now testing is somewhat reliable when using ports
|
||||
- [backslasher] - Port search is a function
|
||||
- [backslasher] - Port detection now supports ranges. No possibility to add ranges (yet)
|
||||
|
||||
## 0.7.2
|
||||
|
||||
- [shortdudey123] - ChefSpec matchers, helps testing
|
||||
|
||||
## 0.7.1
|
||||
|
||||
- [backslasher] - Forgot contributor
|
||||
|
||||
## 0.7.0
|
||||
|
||||
- [chewi] - Fixed prereq packages
|
||||
- [backslasher] - Modified misleading comment
|
||||
- [chewi] - Move helpers into a cookbook-specific module
|
||||
- [chewi] - Prevent use_selinux from blowing up on systems without getenforce
|
||||
|
||||
## 0.6.5
|
||||
|
||||
- [backslasher] - Ubuntu installation warning
|
||||
|
||||
## 0.6.4
|
||||
|
||||
- [sauraus] - CentOS 7 support
|
||||
- [sauraus] - Typos
|
||||
|
||||
## 0.6.3
|
||||
|
||||
- [backslasher] - Readme updates
|
||||
- [kevans] - Added kitchen testing
|
||||
|
||||
## 0.6.2
|
||||
|
||||
- [kevans] - Support Chef 11.8.0 running shellout!()
|
||||
- [backslasher] - Simplified support info
|
||||
- [backslasher] - ASCIIed files
|
||||
|
||||
## 0.6.1
|
||||
|
||||
- [backslasher] - Migrated to `only_if` instead of if
|
||||
- [backslasher] - README typos
|
||||
|
||||
## 0.6.0
|
||||
|
||||
- [joerg] - Added fcontext resource for managing file contexts under SELinux
|
||||
|
||||
## 0.5.0
|
||||
|
||||
- [backslasher] - Added RHEL5/derivatives support. Thanks to @knightorc.
|
||||
- **Cookbook will break on RHEL7\. If anyone experiences this, please check required packages and create an issue/PR**
|
||||
- [backslasher] - Machines without SELinux are (opionally) supported. Thanks to @knightroc.
|
||||
|
||||
## 0.4.0
|
||||
|
||||
- [backlasher] - Fixed foodcritic errors
|
||||
|
||||
## 0.3.0
|
||||
|
||||
- [backlasher] - Fixed `install.rb` syntax. Now it actually works
|
||||
|
||||
## 0.2.0
|
||||
|
||||
- [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
|
||||
- [backlasher] - Added permissive resource
|
||||
|
||||
## 0.1.0
|
||||
|
||||
- [backlasher] - Initial release of selinuxpolicy
|
||||
|
||||
[2.3.2]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.1...v2.3.2
|
||||
[2.3.1]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.0...v2.3.1
|
||||
[2.3.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.2.0...v2.3.0
|
||||
[2.2.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.1.0...v2.2.0
|
||||
[2.1.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.0.1...v2.1.0
|
|
@ -0,0 +1,4 @@
|
|||
# Contributing
|
||||
|
||||
Please refer to
|
||||
[https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
|
|
@ -0,0 +1,209 @@
|
|||
# selinux_policy Cookbook
|
||||
|
||||
[![Cookbook Version](https://img.shields.io/cookbook/v/selinux_policy.svg)](https://supermarket.chef.io/cookbooks/selinux_policy)
|
||||
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
|
||||
|
||||
This cookbook can be used to manage SELinux policies and components (rather than just enable / disable enforcing). I made it because I needed some SELinux settings done, and the `execute`s started to look annoying.
|
||||
|
||||
## Requirements
|
||||
|
||||
Needs an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute `allow_disabled`), which will generate warnings and do nothing (but won't break the run). Also requires SELinux's management tools, namely `semanage`, `setsebool` and `getsebool`. Tools are installed by the `selinux_policy::install` recipe (for RHEL/Debian and the like).
|
||||
|
||||
### Chef Infra Client
|
||||
|
||||
- 13 or later
|
||||
|
||||
### Platforms
|
||||
|
||||
- rhel
|
||||
- fedora
|
||||
|
||||
## Attributes
|
||||
|
||||
These attributes affect the way all of the resource behave.
|
||||
|
||||
- `node['selinux_policy']['allow_disabled']` - Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail. Defaults to `true`, set to `false` if you don't have any machines with disabled SELinux.
|
||||
|
||||
## Usage
|
||||
|
||||
- `selinux_policy::install` - Installs SELinux policy management tools
|
||||
|
||||
This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook. Remember to add `depends 'selinux_policy'` to your `metadata.rb`.
|
||||
|
||||
### boolean
|
||||
|
||||
Represents an SELinux [boolean](http://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans). You can either `set` it, meaning it will be changed without persistence (it will revert to default in the next reboot), or `setpersist` it (default action), so it'll keep it value after rebooting. Using `setpersist` requires an active policy (so that the new value can be saved somewhere).
|
||||
|
||||
Properties:
|
||||
|
||||
- `name`: boolean's name. Defaults to resource name.
|
||||
- `value`: Its new value (`true`/`false`).
|
||||
- `force`: Use `setsebool` even if the current value agrees with the requested one.
|
||||
|
||||
Example usage:
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
selinux_policy_boolean 'httpd_can_network_connect' do
|
||||
value true
|
||||
# Make sure nginx is started if this value was modified
|
||||
notifies :start,'service[nginx]', :immediate
|
||||
end
|
||||
```
|
||||
|
||||
**Note**: Due to ruby interperting `0` as `true`, using `value 0` is unwise.
|
||||
|
||||
### port
|
||||
|
||||
Allows assigning a network port to a certain SELinux context. As explained [here](http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388), it can be useful for running Apache on a non-standard port.
|
||||
|
||||
Actions:
|
||||
|
||||
- `addormodify` (default): Assigns the port to the right context, whether it's already listed another context or not at all.
|
||||
- `add`: Assigns the port to the right context it's if not listed (only uses `-a`).
|
||||
- `modify`: Changes the port's context if it's already listed (only uses `-m`).
|
||||
- `delete`: Removes the port's context if it's listed (uses `-d`).
|
||||
|
||||
Properties:
|
||||
|
||||
- `port`: The port in question, defaults to resource name.
|
||||
- `protocol`: `tcp`/`udp`.
|
||||
- `secontext`: The SELinux context to assign the port to. Unnecessary when using `delete`.
|
||||
|
||||
Example usage:
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
# Allow nginx to bind to port 5678, by giving it the http_port_t context
|
||||
selinux_policy_port '5678' do
|
||||
protocol 'tcp'
|
||||
secontext 'http_port_t'
|
||||
end
|
||||
```
|
||||
|
||||
### module
|
||||
|
||||
Manages SEModules
|
||||
|
||||
Actions:
|
||||
|
||||
- `fetch`: Prepares the module's files for compilation. Allow `remote_directory`-like behavior
|
||||
- `compile`: Translates a module source directory into a `NAME.pp` file. Uses `make` logic for idempotence.
|
||||
- `install`: Adds a compiled module (`pp`) to the current policy. Only installs if the module was modified this run, `force` is enabled or it's missing from the current policy. **Note:** I wish I could compare the existing module to the one generated, but the `extract` capability was only added in [Aug 15](https://github.com/SELinuxProject/selinux/commit/65c6325271b54d3de9c17352a57d469dfbd12729). I'll be happy to see a better idea.
|
||||
- `deploy` (default): Runs `fetch`, `compile`, `install` in that order.
|
||||
- `remove`: Removes a module.
|
||||
|
||||
Properties:
|
||||
|
||||
- `name`: The module name. Defaults to resource name.
|
||||
- `directory`: Directory where module is stored. Defaults to a directory inside the Chef cache.
|
||||
- `content`: The module content, can be extracted from `audit2allow -m NAME`. This can be used to create simple modules without using external files.
|
||||
- `directory_source`: Copies files cookbook to the module directory (uses `remote_directory`). Allows keeping all of the module's source files in the cookbook. **Note:** You can pre-create the module directory and populate it in any other way you'd choose.
|
||||
- `cookbook`: Modifies the source cookbook for the `remote_directory`.
|
||||
- `force`: Installs the module even if it seems fine. Ruins idempotence but should help solve some weird cases.
|
||||
|
||||
Example usage:
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
# Allow openvpn to write/delete in '/etc/openvpn'
|
||||
selinux_policy_module 'openvpn-googleauthenticator' do
|
||||
content <<-eos
|
||||
module dy-openvpn-googleauthenticator 1.0;
|
||||
|
||||
require {
|
||||
type openvpn_t;
|
||||
type openvpn_etc_t;
|
||||
class file { write unlink };
|
||||
}
|
||||
|
||||
|
||||
#============= openvpn_t ==============
|
||||
allow openvpn_t openvpn_etc_t:file { write unlink };
|
||||
eos
|
||||
action :deploy
|
||||
end
|
||||
```
|
||||
|
||||
### fcontext
|
||||
|
||||
Allows managing the SELinux context of files. This can be used to grant SELinux-protected daemons access to additional / moved files.
|
||||
|
||||
Actions:
|
||||
|
||||
- `addormodify` (default): Assigns the file regexp to the right context, whether it's already listed another context or not at all.
|
||||
- `add`: Assigns the file regexp to the right context it's if not listed (only uses -a).
|
||||
- `modify`: Changes the file regexp context if it's already listed (only uses -m).
|
||||
- `delete`: Removes the file regexp context if it's listed (uses -d).
|
||||
|
||||
Properties:
|
||||
|
||||
- `file_spec`: This is the file regexp in question, defaults to resource name.
|
||||
- `secontext`: The SELinux context to assign the file regexp to. Not required for `:delete`
|
||||
- `file_type`: Restrict the fcontext to specific file types. See the table below for an overview. See also <https://en.wikipedia.org/wiki/Unix_file_types> for more info
|
||||
- **a** All files
|
||||
- **f** Regular files
|
||||
- **d** Directory
|
||||
- **c** Character device
|
||||
- **b** Block device
|
||||
- **s** Socket
|
||||
- **l** Symbolic link
|
||||
- **p** Namedpipe
|
||||
|
||||
Example usage (see mysql cookbook for example daemons ):
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
# Allow http servers (nginx/apache) to modify moodle files
|
||||
selinux_policy_fcontext '/var/www/moodle(/.*)?' do
|
||||
secontext 'httpd_sys_rw_content_t'
|
||||
end
|
||||
|
||||
# Allow a custom mysql daemon to access its files.
|
||||
{'mysqld_etc_t' => "/etc/mysql-#{service_name}(/.*)?",
|
||||
'mysqld_etc_t' => "/etc/mysql-#{service_name}/my\.cnf",
|
||||
'mysqld_log_t' => "/var/log/mysql-#{service_name}(/.*)?",
|
||||
'mysqld_db_t' => "/opt/mysql_data_#{service_name}(/.*)?",
|
||||
'mysqld_var_run_t' => "/var/run/mysql-#{service_name}(/.*)?",
|
||||
'mysqld_initrc_exec_t' => "/etc/rc\.d/init\.d/mysql-#{service_name}"}.each do |sc, f|
|
||||
selinux_policy_fcontext f do
|
||||
secontext sc
|
||||
end
|
||||
end
|
||||
|
||||
# Adapt a symbolic link
|
||||
selinux_policy_fcontext '/var/www/symlink_to_webroot' do
|
||||
secontext 'httpd_sys_rw_content_t'
|
||||
filetype 'l'
|
||||
end
|
||||
```
|
||||
|
||||
### permissive
|
||||
|
||||
Allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.
|
||||
|
||||
Actions:
|
||||
|
||||
- `add`: Adds a permissive, unless it's already added
|
||||
- `delete`: Deletes a permissive if it's listed
|
||||
|
||||
Example usage:
|
||||
|
||||
```ruby
|
||||
include_recipe 'selinux_policy::install'
|
||||
|
||||
# Disable enforcement on Nginx
|
||||
# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
|
||||
|
||||
selinux_policy_permissive 'nginx' do
|
||||
notifies :restart, 'service[nginx]'
|
||||
end
|
||||
```
|
||||
|
||||
## Original Author
|
||||
|
||||
[Nitzan Raz](https://github.com/BackSlasher) ([backslasher](http://backslasher.net))
|
|
@ -0,0 +1,108 @@
|
|||
class Chef
|
||||
module SELinuxPolicy
|
||||
module Helpers
|
||||
require 'chef/mixin/shell_out'
|
||||
include Chef::Mixin::ShellOut
|
||||
# Checks if SELinux is disabled or otherwise unavailable and
|
||||
# whether we're allowed to run when disabled
|
||||
def use_selinux(allow_disabled)
|
||||
begin
|
||||
getenforce = shell_out!(getenforce_cmd)
|
||||
rescue
|
||||
selinux_disabled = true
|
||||
else
|
||||
selinux_disabled = getenforce.stdout =~ /disabled/i
|
||||
end
|
||||
|
||||
# return false only when SELinux is disabled and it's allowed
|
||||
return_val = !selinux_disabled || !(selinux_disabled && allow_disabled)
|
||||
Chef::Log.warn('SELinux is disabled / unreachable, skipping') unless return_val
|
||||
return_val
|
||||
end
|
||||
|
||||
def sebool(new_resource, persist = false)
|
||||
persist_string = persist ? '-P ' : ''
|
||||
new_value = new_resource.value ? 'on' : 'off'
|
||||
execute "selinux-setbool-#{new_resource.name}-#{new_value}" do
|
||||
command "#{setsebool_cmd} #{persist_string} #{new_resource.name} #{new_value}"
|
||||
not_if "#{getsebool_cmd} #{new_resource.name} | grep '#{new_value}$' >/dev/null" unless new_resource.force
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
def module_defined(name)
|
||||
"#{semodule_cmd} -l | grep -w '^#{name}'"
|
||||
end
|
||||
|
||||
def shell_boolean(expression)
|
||||
expression ? 'true' : 'false'
|
||||
end
|
||||
|
||||
def port_defined(protocol, port, label = nil)
|
||||
base_command = "seinfo --portcon=#{port} | grep 'portcon #{protocol}' | awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'"
|
||||
grep = if label
|
||||
"grep -P '#{Regexp.escape(label)}'"
|
||||
else
|
||||
'grep -q ^'
|
||||
end
|
||||
"#{base_command} | #{grep}"
|
||||
end
|
||||
|
||||
def validate_port(port)
|
||||
raise ArgumentError, "port value: #{port} is invalid." unless port.to_s =~ /^\d+$/
|
||||
end
|
||||
|
||||
def fcontext_defined(file_spec, file_type, label = nil)
|
||||
file_hash = {
|
||||
'a' => 'all files',
|
||||
'f' => 'regular file',
|
||||
'd' => 'directory',
|
||||
'c' => 'character device',
|
||||
'b' => 'block device',
|
||||
's' => 'socket',
|
||||
'l' => 'symbolic link',
|
||||
'p' => 'named pipe',
|
||||
}
|
||||
|
||||
label_matcher = label ? "system_u:object_r:#{Regexp.escape(label)}:s0\\s*$" : ''
|
||||
"#{semanage_cmd} fcontext -l | grep -qP '^#{Regexp.escape(file_spec)}\\s+#{Regexp.escape(file_hash[file_type])}\\s+#{label_matcher}'"
|
||||
end
|
||||
|
||||
def semanage_options(file_type)
|
||||
# Set options for file_type
|
||||
if node['platform_family'].include?('rhel') && Chef::VersionConstraint.new('< 7.0').include?(node['platform_version'])
|
||||
case file_type
|
||||
when 'a' then '-f ""'
|
||||
when 'f' then '-f --'
|
||||
else; "-f -#{file_type}"
|
||||
end
|
||||
else
|
||||
"-f #{file_type}"
|
||||
end
|
||||
end
|
||||
|
||||
require 'chef/mixin/which'
|
||||
include Chef::Mixin::Which
|
||||
|
||||
def setsebool_cmd
|
||||
@setsebool_cmd ||= which('setsebool')
|
||||
end
|
||||
|
||||
def getsebool_cmd
|
||||
@getsebool_cmd ||= which('getsebool')
|
||||
end
|
||||
|
||||
def getenforce_cmd
|
||||
@getenforce_cmd ||= which('getenforce')
|
||||
end
|
||||
|
||||
def semanage_cmd
|
||||
@semanage_cmd ||= which('semanage')
|
||||
end
|
||||
|
||||
def semodule_cmd
|
||||
@semodule_cmd ||= which('semodule')
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1 @@
|
|||
{"name":"selinux_policy","version":"2.4.3","description":"Manages SELinux policy components","long_description":"","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"redhat":">= 0.0.0","centos":">= 0.0.0","fedora":">= 0.0.0","ubuntu":">= 0.0.0","debian":">= 0.0.0","amazon":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/sous-chefs/selinux_policy","issues_url":"https://github.com/sous-chefs/selinux_policy/issues","chef_version":[[">= 13.0"]],"ohai_version":[]}
|
|
@ -0,0 +1,16 @@
|
|||
name 'selinux_policy'
|
||||
maintainer 'Chef Software, Inc.'
|
||||
maintainer_email 'cookbooks@chef.io'
|
||||
license 'Apache-2.0'
|
||||
description 'Manages SELinux policy components'
|
||||
source_url 'https://github.com/sous-chefs/selinux_policy'
|
||||
issues_url 'https://github.com/sous-chefs/selinux_policy/issues'
|
||||
chef_version '>= 13.0'
|
||||
version '2.4.3'
|
||||
|
||||
supports 'redhat'
|
||||
supports 'centos'
|
||||
supports 'fedora'
|
||||
supports 'ubuntu'
|
||||
supports 'debian'
|
||||
supports 'amazon'
|
|
@ -0,0 +1 @@
|
|||
# Nothing here
|
|
@ -0,0 +1 @@
|
|||
selinux_policy_install 'install'
|
|
@ -0,0 +1,19 @@
|
|||
# A resource for managing SELinux Booleans
|
||||
|
||||
property :value, [true, false]
|
||||
property :force, [true, false], default: false
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
# Set and persist
|
||||
action :setpersist do
|
||||
sebool(new_resource, true)
|
||||
end
|
||||
|
||||
# Set for now, without persisting
|
||||
action :set do
|
||||
sebool(new_resource, false)
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
end
|
|
@ -0,0 +1,71 @@
|
|||
# Manages file specs in SELinux
|
||||
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
|
||||
|
||||
property :file_spec, String, name_property: true
|
||||
property :secontext, String
|
||||
property :file_type, String, default: 'a', equal_to: %w(a f d c b s l p)
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
action :addormodify do
|
||||
run_action(:add)
|
||||
run_action(:modify)
|
||||
end
|
||||
|
||||
# Run restorecon to fix label
|
||||
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
|
||||
action :relabel do
|
||||
converge_by 'relabel' do
|
||||
spec = new_resource.file_spec
|
||||
escaped = Regexp.escape spec
|
||||
|
||||
common =
|
||||
if spec == escaped
|
||||
spec
|
||||
else
|
||||
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
|
||||
::File.dirname spec[0...index]
|
||||
end
|
||||
|
||||
# Just in case the spec is very weird...
|
||||
common = '/' if common[0] != '/'
|
||||
|
||||
if ::File.exist? common
|
||||
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 2>/dev/null | xargs -0 restorecon -iRv")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Create if doesn't exist, do not touch if fcontext is already registered
|
||||
action :add do
|
||||
execute "selinux-fcontext-#{new_resource.secontext}-add" do
|
||||
command "#{semanage_cmd} fcontext -a #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
|
||||
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
notifies :relabel, new_resource, :immediately
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
execute "selinux-fcontext-#{new_resource.secontext}-delete" do
|
||||
command "#{semanage_cmd} fcontext #{semanage_options(new_resource.file_type)} -d '#{new_resource.file_spec}'"
|
||||
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
notifies :relabel, new_resource, :immediately
|
||||
end
|
||||
end
|
||||
|
||||
action :modify do
|
||||
execute "selinux-fcontext-#{new_resource.secontext}-modify" do
|
||||
command "#{semanage_cmd} fcontext -m #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
|
||||
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
|
||||
notifies :relabel, new_resource, :immediately
|
||||
end
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
include Chef::Mixin::Which
|
||||
end
|
|
@ -0,0 +1,32 @@
|
|||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
action :install do
|
||||
case node['platform_family']
|
||||
when 'debian'
|
||||
raise 'Install SELinux manually on Ubuntu. See https://wiki.ubuntu.com/SELinux' if platform?('ubuntu')
|
||||
|
||||
execute 'selinux-activate' do
|
||||
action :nothing
|
||||
end
|
||||
|
||||
package %w(selinux-policy-default selinux-basics auditd) do
|
||||
notifies :run, 'execute[selinux-activate]', :immediately
|
||||
end
|
||||
|
||||
when 'rhel'
|
||||
case node['platform_version'].to_i
|
||||
when 6
|
||||
package %w(policycoreutils-python selinux-policy setools-console make)
|
||||
when 7
|
||||
package %w(policycoreutils-python selinux-policy-devel setools-console make)
|
||||
when 8
|
||||
package %w(policycoreutils-python-utils selinux-policy-devel setools-console make)
|
||||
else
|
||||
raise 'Unknown version of RHEL/derivative, cannot determine required package names'
|
||||
end
|
||||
when 'fedora'
|
||||
package %w(policycoreutils-python selinux-policy-devel setools-console make)
|
||||
else
|
||||
raise 'Unknown distro, cannot determine required package names'
|
||||
end
|
||||
end
|
|
@ -0,0 +1,75 @@
|
|||
# A resource for managing SE modules
|
||||
|
||||
property :module_name, String, name_property: true
|
||||
property :force, [true, false], default: false
|
||||
property :directory, String, default: lazy { "#{Chef::Config[:file_cache_path]}/#{module_name}" } # content to work with. Defaults to autogenerated name in the Chef cache. Can be provided and pre-populated
|
||||
# Content options:
|
||||
property :content, String # provide a 'te' file directly. Optional
|
||||
property :directory_source, String # Source directory for module source code. If specified, will use "remote_directory" on the directory specified as `directory`
|
||||
property :cookbook, String # Related to directory
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
action :deploy do
|
||||
run_action(:fetch)
|
||||
run_action(:compile)
|
||||
run_action(:install)
|
||||
end
|
||||
|
||||
# Get all the components in the right place
|
||||
action :fetch do
|
||||
directory new_resource.directory do
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
|
||||
raise 'dont specify both directory_source and content' if new_resource.directory_source && new_resource.content
|
||||
|
||||
if new_resource.directory_source
|
||||
remote_directory new_resource.directory do
|
||||
source new_resource.directory_source
|
||||
cookbook new_resource.cookbook
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
if new_resource.content
|
||||
file "#{new_resource.directory}/#{new_resource.module_name}.te" do
|
||||
content new_resource.content
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
action :compile do
|
||||
make_command = "/usr/bin/make -f /usr/share/selinux/devel/Makefile #{new_resource.module_name}.pp"
|
||||
execute "semodule-compile-#{new_resource.module_name}" do
|
||||
command make_command
|
||||
not_if "#{make_command} -q", cwd: new_resource.directory # $? = 1 means make wants to execute http://www.gnu.org/software/make/manual/html_node/Running.html
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
cwd new_resource.directory
|
||||
end
|
||||
end
|
||||
|
||||
# deploy / upgrade module
|
||||
# XXX this looks ugly because CentOS 6.X doesn't support extracting
|
||||
# SELinux modules from the current policy, which I planned on comparing
|
||||
# to my compiled file. I'll be happy to see anything else (that works).
|
||||
action :install do
|
||||
filename = "#{new_resource.directory}/#{new_resource.module_name}.pp"
|
||||
execute "semodule-install-#{new_resource.module_name}" do
|
||||
command "#{semodule_cmd} -i #{filename}"
|
||||
only_if "#{shell_boolean(new_resource.updated_by_last_action? || new_resource.force)} || ! (#{module_defined(new_resource.module_name)}) "
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action :remove do
|
||||
execute "semodule-remove-#{new_resource.module_name}" do
|
||||
command "#{semodule_cmd} -r #{new_resource.module_name}"
|
||||
only_if module_defined(new_resource.module_name)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
end
|
|
@ -0,0 +1,25 @@
|
|||
# a resource for managing selinux permissive contexts
|
||||
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
# Create if doesn't exist, do not touch if port is already registered (even under different type)
|
||||
action :add do
|
||||
execute "selinux-permissive-#{new_resource.name}-add" do
|
||||
command "#{semanage_cmd} permissive -a '#{new_resource.name}'"
|
||||
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
execute "selinux-port-#{new_resource.name}-delete" do
|
||||
command "#{semanage_cmd} permissive -d '#{new_resource.name}'"
|
||||
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
end
|
|
@ -0,0 +1,50 @@
|
|||
# Manages a port assignment in SELinux
|
||||
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
|
||||
|
||||
property :port, [Integer, String], name_property: true
|
||||
property :protocol, String, equal_to: %w(tcp udp)
|
||||
property :secontext, String
|
||||
property :allow_disabled, [true, false], default: true
|
||||
|
||||
action :addormodify do
|
||||
# TODO: We can be a bit more clever here, and try to detect if it's already
|
||||
# there then modify
|
||||
# Try to add new port
|
||||
run_action(:add)
|
||||
# Try to modify existing port
|
||||
run_action(:modify)
|
||||
end
|
||||
|
||||
# Create if doesn't exist, do not touch if port is already registered (even under different type)
|
||||
action :add do
|
||||
validate_port(new_resource.port)
|
||||
execute "selinux-port-#{new_resource.port}-add" do
|
||||
command "#{semanage_cmd} port -a -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
|
||||
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
|
||||
not_if port_defined(new_resource.protocol, new_resource.port)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
# Delete if exists
|
||||
action :delete do
|
||||
validate_port(new_resource.port)
|
||||
execute "selinux-port-#{new_resource.port}-delete" do
|
||||
command "#{semanage_cmd} port -d -p #{new_resource.protocol} #{new_resource.port}"
|
||||
only_if port_defined(new_resource.protocol, new_resource.port)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action :modify do
|
||||
execute "selinux-port-#{new_resource.port}-modify" do
|
||||
command "#{semanage_cmd} port -m -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
|
||||
only_if port_defined(new_resource.protocol, new_resource.port)
|
||||
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
|
||||
only_if { use_selinux(new_resource.allow_disabled) }
|
||||
end
|
||||
end
|
||||
|
||||
action_class do
|
||||
include Chef::SELinuxPolicy::Helpers
|
||||
end
|
|
@ -13,7 +13,8 @@
|
|||
"ipaddress": "192.168.122.148",
|
||||
"roles": [
|
||||
"btcpay",
|
||||
"postgresql_client"
|
||||
"postgresql_client",
|
||||
"redis_local"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
|
@ -26,8 +27,9 @@
|
|||
"kosmos-bitcoin::dotnet",
|
||||
"kosmos-bitcoin::nbxplorer",
|
||||
"kosmos-bitcoin::btcpay",
|
||||
"tor-full",
|
||||
"tor-full::default",
|
||||
"redisio",
|
||||
"redisio::default",
|
||||
"redisio::enable",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
@ -62,6 +64,11 @@
|
|||
"nginx::commons_script",
|
||||
"nginx::commons_conf",
|
||||
"kosmos-nginx::firewall",
|
||||
"redisio::_install_prereqs",
|
||||
"redisio::install",
|
||||
"ulimit::default",
|
||||
"redisio::disable_os_default",
|
||||
"redisio::configure",
|
||||
"kosmos-base::letsencrypt"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
|
@ -85,6 +92,6 @@
|
|||
"recipe[kosmos-bitcoin::lnd]",
|
||||
"recipe[kosmos-bitcoin::rtl]",
|
||||
"role[btcpay]",
|
||||
"recipe[tor-full]"
|
||||
"role[redis_local]"
|
||||
]
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
name "redis_local"
|
||||
|
||||
run_list %w(
|
||||
redisio::default
|
||||
redisio::enable
|
||||
)
|
||||
|
||||
default_attributes({})
|
Loading…
Reference in New Issue