kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 1 Projects 1 Activity

Use older Redis cookbook, install on bitcoin-2

This commit is contained in:
Basti 2021-11-16 14:11:42 -06:00
parent 18f65c4fc5
commit 4b9183d78d
Signed by untrusted user: basti
GPG Key ID: 9F88009D31D99C72
59 changed files with 886 additions and 1639 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Berksfile
View File

@ -8,7 +8,7 @@ cookbook 'mediawiki',
cookbook 'redis',
git: 'https://github.com/phlipper/chef-redis.git',
ref: 'v0.5.6'
cookbook 'redisio', '~> 6.1.0'
cookbook 'redisio', '= 5.0.0' # TODO upgrade to 6.x when we use Chef 16
cookbook 'postfix', '= 5.0.2'
cookbook 'php', '~> 8.0.0'
cookbook 'composer', '~> 2.7.0'

9
Berksfile.lock
View File

@ -48,7 +48,7 @@ DEPENDENCIES
git: https://github.com/phlipper/chef-redis.git
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
ref: v0.5.6
redisio (~> 6.1.0)
redisio (= 5.0.0)
timezone_iii (= 1.0.4)
ulimit (~> 1.0.0)
users (~> 5.3.1)
@ -151,9 +151,10 @@ GRAPH
postfix (5.0.2)
redis (0.5.6)
apt (>= 0.0.0)
redisio (6.1.0)
selinux (>= 0.0.0)
selinux (6.0.1)
redisio (5.0.0)
selinux_policy (>= 2.2.0)
ulimit (>= 0.1.2)
selinux_policy (2.4.3)
seven_zip (3.1.1)
windows (>= 0.0.0)
timezone_iii (1.0.4)

17
cookbooks/redisio/CHANGELOG.md
View File

@ -1,26 +1,9 @@
# redisio
This file is used to list changes made in each version of the redisio cookbook.
## 6.1.0 - *2021-09-15*
- Add protected mode to sentinel configuration file
## 6.0.0 - *2021-09-09*
- Set unified_mode true for Chef 17+ support
- Require Chef 15.3+ for unified_mode
- Require Chef 16 for user_ulimit resource
- Remove dependency on the ulimit cookbook
- Switch from using the selinux_policy cookbook to the selinux cookbook
- The selinux_policy cookbook is now deprecated. The resources have been moved
to the selinux cookbook
## 5.0.0 - *2021-09-08*
- resolved cookstyle error: attributes/default.rb:74:40 refactor: `Chef/Modernize/UseChefLanguageSystemdHelper`
## 4.3.2 - *2021-08-30*
- Standardise files with files in sous-chefs/repo-management

3
cookbooks/redisio/README.md
View File

@ -413,8 +413,7 @@ The sentinel recipe's use their own attribute file.
'logfile' => nil,
'syslogenabled' => 'yes',
'syslogfacility' => 'local0',
'quorum_count' => 2,
'protected-mode' => nil,
'quorum_count' => 2
```
* `redisio['redisio']['sentinel']['manage_config']` - Should the cookbook manage the redis and redis sentinel config files. This is best set to false when using redis_sentinel as it will write state into both configuration files.

7
cookbooks/redisio/attributes/default.rb
View File

@ -162,10 +162,3 @@ default['redisio']['bin_path'] = if node['redisio']['package_install']
else
'/usr/local/bin'
end
# Ulimit
default['ulimit']['pam_su_template_cookbook'] = nil
default['ulimit']['users'] = Mash.new
default['ulimit']['security_limits_directory'] = '/etc/security/limits.d'
default['ulimit']['ulimit_overriding_sudo_file_name'] = 'sudo'
default['ulimit']['ulimit_overriding_sudo_file_cookbook'] = nil

1
cookbooks/redisio/attributes/redis_sentinel.rb
View File

@ -26,7 +26,6 @@ default['redisio']['sentinel_defaults'] = {
'announce-port' => nil,
'notification-script' => nil,
'client-reconfig-script' => nil,
'protected_mode' => nil,
}
# Manage Sentinel Config File

8
cookbooks/redisio/files/sudo
View File

@ -1,8 +0,0 @@
#%PAM-1.0
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
session required pam_limits.so
@include common-auth
@include common-account
@include common-session-noninteractive

7
cookbooks/redisio/metadata.json
View File

@ -16,7 +16,8 @@
"ubuntu": ">= 0.0.0"
},
"dependencies": {
"selinux": ">= 0.0.0"
"ulimit": ">= 0.1.2",
"selinux_policy": ">= 2.2.0"
},
"providing": {
@ -24,13 +25,13 @@
"recipes": {
},
"version": "6.1.0",
"version": "5.0.0",
"source_url": "https://github.com/sous-chefs/redisio",
"issues_url": "https://github.com/sous-chefs/redisio/issues",
"privacy": false,
"chef_versions": [
[
">= 16"
">= 15.5"
]
],
"ohai_versions": [

7
cookbooks/redisio/metadata.rb
View File

@ -3,10 +3,10 @@ maintainer 'Sous Chefs'
maintainer_email 'help@sous-chefs.org'
license 'Apache-2.0'
description 'Installs and configures redis'
version '6.1.0'
version '5.0.0'
source_url 'https://github.com/sous-chefs/redisio'
issues_url 'https://github.com/sous-chefs/redisio/issues'
chef_version '>= 16'
chef_version '>= 15.5'
%w(
amazon
@ -21,4 +21,5 @@ chef_version '>= 16'
supports os
end
depends 'selinux'
depends 'ulimit', '>= 0.1.2'
depends 'selinux_policy', '>= 2.2.0'

3
cookbooks/redisio/providers/sentinel.rb
View File

@ -151,8 +151,7 @@ def configure
announce_ip: current['announce-ip'],
announce_port: current['announce-port'],
notification_script: current['notification-script'],
client_reconfig_script: current['client-reconfig-script'],
protected_mode: current['protected_mode']
client_reconfig_script: current['client-reconfig-script']
)
not_if { ::File.exist?("#{current['configdir']}/#{sentinel_name}.conf.breadcrumb") }
end

2
cookbooks/redisio/recipes/configure.rb
View File

@ -1,5 +1,5 @@
include_recipe 'redisio::default'
include_recipe 'redisio::ulimit'
include_recipe 'ulimit::default'
redis = node['redisio']

12
cookbooks/redisio/recipes/default.rb
View File

@ -1,4 +1,14 @@
apt_update
# debian 6.0.x fails the build_essential recipe without an apt-get update prior to run
if platform?('debian', 'ubuntu')
execute 'apt-get-update-periodic' do
command 'apt-get update'
ignore_failure true
only_if do
!File.exist?('/var/lib/apt/periodic/update-success-stamp') ||
File.mtime('/var/lib/apt/periodic/update-success-stamp') < Time.now - 86400
end
end
end
unless node['redisio']['package_install']
include_recipe 'redisio::_install_prereqs'

2
cookbooks/redisio/recipes/install.rb
View File

@ -19,4 +19,4 @@ else
end
end
include_recipe 'redisio::ulimit'
include_recipe 'ulimit::default'

2
cookbooks/redisio/recipes/sentinel.rb
View File

@ -1,6 +1,6 @@
include_recipe 'redisio::_install_prereqs'
include_recipe 'redisio::install'
include_recipe 'redisio::ulimit'
include_recipe 'ulimit::default'
redis = node['redisio']

25
cookbooks/redisio/recipes/ulimit.rb
View File

@ -1,25 +0,0 @@
# Pulled from the now replaced ulimit cookbook
# TODO: find a more tidy way to do this
ulimit = node['ulimit']
if platform_family?('debian')
template '/etc/pam.d/su' do
cookbook ulimit['pam_su_template_cookbook']
end
cookbook_file '/etc/pam.d/sudo' do
cookbook node['ulimit']['ulimit_overriding_sudo_file_cookbook']
source node['ulimit']['ulimit_overriding_sudo_file_name']
mode '0644'
end
end
if ulimit.key?('users')
ulimit['users'].each do |user, attributes|
user_ulimit user do
attributes.each do |a, v|
send(a.to_sym, v)
end
end
end
end

2
cookbooks/redisio/resources/configure.rb
View File

@ -1,5 +1,5 @@
actions :run
unified_mode true
default_action :run
# Configuration attributes

2
cookbooks/redisio/resources/install.rb
View File

@ -1,5 +1,5 @@
actions :run
unified_mode true
default_action :run
# Installation attributes

2
cookbooks/redisio/resources/sentinel.rb
View File

@ -1,5 +1,5 @@
actions :run
unified_mode true
default_action :run
# Configuration attributes

9
cookbooks/redisio/templates/default/domain.erb
View File

@ -1,9 +0,0 @@
<%
node.run_state[:ulimit][@domain].each do |item, entries|
entries.each do |type, value|
-%>
<%= @domain %> <%= type %> <%= item %> <%= value %>
<%
end
end
-%>

6
cookbooks/redisio/templates/default/sentinel.conf.erb
View File

@ -11,14 +11,10 @@ syslog-ident redis-<%= @name %>
syslog-facility <%= @syslogfacility %>
<%= "logfile #{@logfile}" unless @logfile.nil? %>
# bind sentinel IP
<% if @sentinel_bind %>
bind <%=@sentinel_bind%>
<% end %>
<% if @protected_mode %>
<%= "protected-mode #{@protected_mode}" %>
<% end %>
# port <sentinel-port>
# The port that this sentinel instance will run on
port <%=@sentinel_port%>

62
cookbooks/redisio/templates/default/su.erb
View File

@ -1,62 +0,0 @@
#
# The PAM configuration file for the Shadow `su' service
#
# This file modified by Chef to enable ulimit switching with `su`
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

32
cookbooks/redisio/templates/default/ulimit.erb
View File

@ -1,32 +0,0 @@
# Limits settings for <%= @ulimit_user %>
<% unless @filehandle_limit.nil? -%>
<%= @ulimit_user -%> - nofile <%= @filehandle_limit %>
<% else -%><% unless @filehandle_soft_limit.nil? -%><%= @ulimit_user -%> soft nofile <%= @filehandle_soft_limit %><% end -%>
<% unless @filehandle_hard_limit.nil? -%><%= @ulimit_user -%> hard nofile <%= @filehandle_hard_limit %><% end -%>
<% end -%>
<% unless @process_limit.nil? -%>
<%= @ulimit_user -%> - nproc <%= @process_limit %>
<% else -%><% unless @process_soft_limit.nil? -%><%= @ulimit_user -%> soft nproc <%= @process_soft_limit %><% end -%>
<% unless @process_hard_limit.nil? -%><%= @ulimit_user -%> hard nproc <%= @process_hard_limit %><% end -%>
<% end -%>
<% unless @memory_limit.nil? -%>
<%= @ulimit_user -%> - memlock <%= @memory_limit %>
<% end -%>
<% unless @core_limit.nil? -%>
<%= @ulimit_user -%> - core <%= @core_limit %>
<% else -%><% unless @core_soft_limit.nil? -%><%= @ulimit_user -%> soft core <%= @core_soft_limit %><% end -%>
<% unless @core_hard_limit.nil? -%><%= @ulimit_user -%> hard core <%= @core_hard_limit %><% end -%>
<% end -%>
<% unless @stack_limit.nil? -%>
<%= @ulimit_user -%> - stack <%= @stack_limit %>
<% else -%><% unless @stack_soft_limit.nil? -%><%= @ulimit_user -%> soft stack <%= @stack_soft_limit %><% end -%>
<% unless @stack_hard_limit.nil? -%><%= @ulimit_user -%> hard stack <%= @stack_hard_limit %><% end -%>
<% end -%>
<% unless @rtprio_limit.nil? -%>
<%= @ulimit_user -%> - rtprio <%= @rtprio_limit %>
<% else -%><% unless @rtprio_soft_limit.nil? -%><%= @ulimit_user -%> soft rtprio <%= @rtprio_soft_limit %><% end -%>
<% unless @rtprio_hard_limit.nil? -%><%= @ulimit_user -%> hard rtprio <%= @rtprio_hard_limit %><% end -%>
<% end -%>
<% unless @virt_limit.nil? -%>
<%= @ulimit_user -%> - as <%= @virt_limit %>
<% end -%>

184
cookbooks/selinux/CHANGELOG.md
View File

@ -1,184 +0,0 @@
# selinux Cookbook CHANGELOG
This file is used to list changes made in each version of the selinux cookbook.
## 6.0.1 - *2021-11-03*
- Correctly parse ports with multple contexts
## 6.0.0 - *2021-09-02*
- Import `selinux_policy` resources into this cookbook (`_fcontext`, `_permissive`, and `_port`)
- `selinux_policy_module` not imported since it is a duplicate of `selinux_module`
### Deprecations
- `selinux_fcontext` action `addormodify` renamed to `manage`
- `selinux_port` action `addormodify` renamed to `manage`
## 5.1.1 - *2021-08-30*
- Standardise files with files in sous-chefs/repo-management
## 5.1.0 - *2021-08-21*
- Fix `selinux_install` on Alma Linux / Oracle Linux
## 5.0.0 - *2021-08-10*
### Note: With version 5.0.0 the default recipe has been removed
- Major refactoring
- Restore support for Debian based distros
- All resources now use unified_mode
- Added selinux_boolean resource
- Remove attributes and default recipe
- Replaced with a set of bare recipes for the three selinux states
- Add automatic restart function to `selinux_state` resource
## 4.0.0 - *2021-07-21*
- Sous Chefs adoption
- Enable `unified_mode` for Chef 17 compatibility
- Update test platforms
## 3.1.1 (2020-09-29)
- Move `default['selinux']['status']` attribute to `default['selinux']['state']` to avoid conflicts with Ohai in Chef Infra Client 16 - [@shoekstra](https://github.com/shoekstra)
## 3.1.0 (2020-09-29)
- Cookstyle Bot Auto Corrections with Cookstyle 6.16.8 - [@cookstyle](https://github.com/cookstyle)
- Add a new `node['selinux']['install_mcstrans_package']` attribute to control installation of the mcdtrans package. This default to true to maintain existing functionality. - [@kapilchouhan99](https://github.com/kapilchouhan99)
## 3.0.2 (2020-08-25)
- Fix failures in CI- [@shoekstra](https://github.com/shoekstra)
- Specify platform to SoloRunner - [@shoekstra](https://github.com/shoekstra)
- Remove unnecessary Foodcritic comments - [@tas50](https://github.com/tas50)
- Notify :immediately not :immediate - [@tas50](https://github.com/tas50)
- Add Github actions testing of style/unit - [@tas50](https://github.com/tas50)
- [GH-67] - Do not try to modify frozen checksum - [@vzDevelopment](https://github.com/vzDevelopment)
- Standardise files with files in chef-cookbooks/repo-management - [@xorimabot](https://github.com/xorimabot)
## 3.0.1 (2019-11-14)
- Remove the deprecated ChefSpec report - [@tas50](https://github.com/tas50)
- Allow "-" and "_" for module names - [@ramereth](https://github.com/ramereth)
- Update Fedora versions we test on - [@tas50](https://github.com/tas50)
## 3.0.0 (2019-06-06)
- Support for SELinux Modules, via new resource `selinux_module`, able to compile `.te` files, install and remove modules;
- Improving test coverage for all resources
- Remove support for Ubuntu/Debian
- Require Chef 13+
## 2.1.1 (2018-06-07)
- Do not execute setenforce 1 always
- Remove chefspec matchers that are autogenerated now
- Chef 13 Fixes
## 2.1.0 (2017-09-15)
- Simplify Travis config and fix ChefDK 2.0 failures
- Use bento slugs in Kitchen
- Remove maintainer files
- More cleanup of the maintainer files
- Speed up install with multi-package install
## 2.0.3 (2017-06-13)
- Fix boolean check within default recipe
## 2.0.2 (2017-06-05)
- Permissive guard should grep for permissive not just disabled
## 2.0.1 (2017-05-30)
- Remove class_eval usage
## 2.0.0 (2017-05-15)
- Deprecate debian family support
- Make default for rhel family use setenforce regardless of whether a temporary change or not. Eliminates the requirement for a required reboot to effect change in the running system.
## 1.0.4 (2017-04-17)
- Switch to local delivery for testing
- Use the standard apache license string
- Updates for early Chef 12 and Chef 13 compatibility
- Update and add copyright blocks to the various files
## 1.0.3 (2017-03-14)
- Fix requirement in metadata to reflect need for Chef 12.7 as using action_class in state resource.
## 1.0.2 (2017-03-01)
- Remove setools* packages from install resource (utility to analyze and query policies, monitor and report audit logs, and manage file context). Future versions of this cookbook that might use this need to handle package install on Oracle Linux as not available in default repo.
## 1.0.1 (2017-02-26)
- Fix logic error in the permissive state change
## 1.0.0 (2017-02-26)
- **BREAKING CHANGE** `node['selinux']['state']` is now `node['selinux']['status']` to meet Chef 13 requirements.
- Update to current cookbook engineering standards
- Rewrite LWRP to 12.5 resources
- Resolved cookstyle errors
- Update package information for debian based on <https://debian-handbook.info/browse/stable/sect.selinux.html>
- selinux-activate looks like it's required to ACTUALLY activate selinux on non-RHEL systems. This seems like it could be destructive if unexpected.
- Add property temporary to allow for switching between permissive and enabled
- Add install resource
## v0.9.0 (2015-02-22)
- Initial Debian / Ubuntu support
- Various bug fixes
## v0.8.0 (2014-04-23)
- [COOK-4528] - Fix selinux directory permissions
- [COOK-4562] - Basic support for Ubuntu/Debian
## v0.7.2 (2014-03-24)
handling minimal installs
## v0.7.0 (2014-02-27)
[COOK-4218] Support setting SELinux boolean values
## v0.6.2
- Fixing bug introduced in 0.6.0
- adding basic test-kitchen coverage
## v0.6.0
- [COOK-760] - selinux enforce/permit/disable based on attribute
## v0.5.6
- [COOK-2124] - enforcing recipe fails if selinux is disabled
## v0.5.4
- [COOK-1277] - disabled recipe fails on systems w/o selinux installed
## v0.5.2
- [COOK-789] - fix dangling commas causing syntax error on some rubies
## v0.5.0
- [COOK-678] - add the selinux cookbook to the repository
- Use main selinux config file (/etc/selinux/config)
- Use getenforce instead of selinuxenabled for enforcing and permissive

201
cookbooks/selinux/LICENSE
View File

@ -1,201 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

81
cookbooks/selinux/README.md
View File

@ -1,81 +0,0 @@
# SELinux Cookbook
[![Cookbook Version](https://img.shields.io/cookbook/v/selnux.svg)](https://supermarket.chef.io/cookbooks/selinux)
[![CI State](https://github.com/sous-chefs/selinux/workflows/ci/badge.svg)](https://github.com/sous-chefs/selinux/actions?query=workflow%3Aci)
[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
## Description
The SELinux (Security Enhanced Linux) cookbook provides recipes for manipulating SELinux policy enforcement state.
SELinux can have one of three settings:
`Enforcing`
- Watches all system access checks, stops all 'Denied access'
- Default mode on RHEL systems
`Permissive`
- Allows access but reports violations
`Disabled`
- Disables SELinux from the system but is only read at boot time. If you set this flag, you must reboot.
Disable SELinux only if you plan to not use it. Use `Permissive` mode if you just need to debug your system.
## Requirements
- Chef 15.3 or higher
## Platform
- RHEL 7+
- CentOS 7+
- Fedora
- Ubuntu
- Debian
## Resources
The following resources are provided:
- [selinux_boolean](documentation/selinux_boolean.md)
- [selinux_fcontext](documentation/selinux_fcontext.md)
- [selinux_install](documentation/selinux_install.md)
- [selinux_module](documentation/selinux_module.md)
- [selinux_permissive](documentation/selinux_permissive.md)
- [selinux_port](documentation/selinux_port.md)
- [selinux_state](documentation/selinux_state.md)
## Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If youd like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
## Contributors
This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
### Backers
Thank you to all our backers!
![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
### Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)

115
cookbooks/selinux/chefignore
View File

@ -1,115 +0,0 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

17
cookbooks/selinux/libraries/boolean.rb
View File

@ -1,17 +0,0 @@
module SELinux
module Cookbook
module BooleanHelpers
def selinux_bool(bool)
if ['on', 'true', '1', true, 1].include?(bool)
'on'
elsif ['off', 'false', '0', false, 0].include?(bool)
'off'
else
raise ArgumentError, "selinux_bool: Invalid selinux boolean value #{bool}"
end
end
module_function :selinux_bool
end
end
end

22
cookbooks/selinux/libraries/install.rb
View File

@ -1,22 +0,0 @@
module SELinux
module Cookbook
module InstallHelpers
def default_install_packages
case node['platform_family']
when 'rhel', 'fedora', 'amazon'
%w(make policycoreutils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console)
when 'debian'
if node['platform'] == 'ubuntu'
if node['platform_version'].to_f == 18.04
%w(make policycoreutils selinux selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
else
%w(make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
end
else
%w(make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
end
end
end
end
end
end

43
cookbooks/selinux/libraries/state.rb
View File

@ -1,43 +0,0 @@
module SELinux
module Cookbook
module StateHelpers
def selinux_disabled?
selinux_state.eql?(:disabled)
end
def selinux_enforcing?
selinux_state.eql?(:enforcing)
end
def selinux_permissive?
selinux_state.eql?(:permissive)
end
def state_change_reboot_required?
(selinux_disabled? && %i(enforcing permissive).include?(action)) || ((selinux_enforcing? || selinux_permissive?) && action == :disabled)
end
def selinux_state
state = shell_out!('getenforce').stdout.strip.downcase.to_sym
raise "Got unknown SELinux state #{state}" unless %i(disabled enforcing permissive).include?(state)
state
end
def selinux_activate_required?
return false unless platform_family?('debian')
!File.read('/etc/default/grub').match?('security=selinux')
end
def default_policy_platform
case node['platform_family']
when 'rhel', 'fedora', 'amazon'
'targeted'
when 'debian'
'default'
end
end
end
end
end

43
cookbooks/selinux/metadata.json
View File

@ -1,43 +0,0 @@
{
"name": "selinux",
"description": "Manages SELinux policy state and rules.",
"long_description": "",
"maintainer": "Sous Chefs",
"maintainer_email": "help@sous-chefs.org",
"license": "Apache-2.0",
"platforms": {
"redhat": ">= 0.0.0",
"centos": ">= 0.0.0",
"scientific": ">= 0.0.0",
"oracle": ">= 0.0.0",
"amazon": ">= 0.0.0",
"fedora": ">= 0.0.0",
"debian": ">= 0.0.0",
"ubuntu": ">= 0.0.0"
},
"dependencies": {
},
"providing": {
},
"recipes": {
},
"version": "6.0.1",
"source_url": "https://github.com/sous-chefs/selinux",
"issues_url": "https://github.com/sous-chefs/selinux/issues",
"privacy": false,
"chef_versions": [
[
">= 15.3"
]
],
"ohai_versions": [
],
"gems": [
],
"eager_load_libraries": true
}

13
cookbooks/selinux/metadata.rb
View File

@ -1,13 +0,0 @@
name 'selinux'
maintainer 'Sous Chefs'
maintainer_email 'help@sous-chefs.org'
license 'Apache-2.0'
description 'Manages SELinux policy state and rules.'
version '6.0.1'
source_url 'https://github.com/sous-chefs/selinux'
issues_url 'https://github.com/sous-chefs/selinux/issues'
chef_version '>= 15.3'
%w(redhat centos scientific oracle amazon fedora debian ubuntu).each do |os|
supports os
end

23
cookbooks/selinux/recipes/disabled.rb
View File

@ -1,23 +0,0 @@
#
# Cookbook:: selinux
# Recipe:: disabled
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
selinux_install 'selinux'
selinux_state 'disabled' do
automatic_reboot true
action :disabled
end

24
cookbooks/selinux/recipes/enforcing.rb
View File

@ -1,24 +0,0 @@
#
# Cookbook:: selinux
# Recipe:: enforcing
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
selinux_install 'selinux'
selinux_state 'enforcing' do
automatic_reboot true
action :enforcing
end

23
cookbooks/selinux/recipes/permissive.rb
View File

@ -1,23 +0,0 @@
#
# Cookbook:: selinux
# Recipe:: permissive
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
selinux_install 'selinux'
selinux_state 'permissive' do
automatic_reboot true
action :permissive
end

56
cookbooks/selinux/resources/boolean.rb
View File

@ -1,56 +0,0 @@
#
# Cookbook:: selinux
# Resource:: boolean
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :boolean, String,
name_property: true,
description: 'SELinux boolean to set'
property :value, [Integer, String, true, false],
required: true,
equal_to: %w(on off),
coerce: proc { |p| SELinux::Cookbook::BooleanHelpers.selinux_bool(p) },
description: 'SELinux boolean value'
property :persistent, [true, false],
default: true,
desired_state: false,
description: 'Set to true for value setting to survive reboot'
load_current_value do |new_resource|
value shell_out!("getsebool #{new_resource.boolean}").stdout.split('-->').map(&:strip).last
end
action_class do
include SELinux::Cookbook::StateHelpers
end
action :set do
if selinux_disabled?
Chef::Log.warn("Unable to set SELinux boolean #{new_resource.name} as SELinux is disabled")
return
end
converge_if_changed do
cmd = 'setsebool'
cmd += ' -P' if new_resource.persistent
cmd += " #{new_resource.boolean} #{new_resource.value}"
shell_out!(cmd)
end
end

132
cookbooks/selinux/resources/fcontext.rb
View File

@ -1,132 +0,0 @@
#
# Cookbook:: selinux
# Resource:: fcontext
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :file_spec, String,
name_property: true,
description: 'Path to or regex matching the files or directoriesto label'
property :secontext, String,
required: %i(add modify manage),
description: 'SELinux context to assign'
property :file_type, String,
default: 'a',
equal_to: %w(a f d c b s l p),
description: 'The type of the file being labeled'
action_class do
include SELinux::Cookbook::StateHelpers
def current_file_context
file_hash = {
'a' => 'all files',
'f' => 'regular file',
'd' => 'directory',
'c' => 'character device',
'b' => 'block device',
's' => 'socket',
'l' => 'symbolic link',
'p' => 'named pipe',
}
contexts = shell_out!('semanage fcontext -l').stdout.split("\n")
# pull out file label from user:role:type:level context string
contexts.grep(/^#{Regexp.escape(new_resource.file_spec)}\s+#{file_hash[new_resource.file_type]}/) do |c|
c.match(/.+ (?<user>.+):(?<role>.+):(?<type>.+):(?<level>.+)$/)[:type]
# match returns ['foo'] or [], shift converts that to 'foo' or nil
end.shift
end
# Run restorecon to fix label
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
def relabel_files
spec = new_resource.file_spec
escaped = Regexp.escape spec
# find common path between regex and string
common = if spec == escaped
spec
else
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
::File.dirname spec[0...index]
end
# if path is not absolute, ignore it and search everything
common = '/' if common[0] != '/'
if ::File.exist? common
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 | xargs -0 restorecon -iRv")
end
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :addormodify do
Chef::Log.warn('The :addormodify action for selinux_fcontext is deprecated and will be removed in a future release. Use the :manage action instead.')
run_action(:manage)
end
# Create if doesn't exist, do not touch if fcontext is already registered
action :add do
if selinux_disabled?
Chef::Log.warn("Unable to add SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
unless current_file_context
converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do
shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
relabel_files
end
end
end
# Only modify if fcontext exists & doesn't have the correct label already
action :modify do
if selinux_disabled?
Chef::Log.warn("Unable to modify SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
if current_file_context && current_file_context != new_resource.secontext
converge_by "modifying label #{new_resource.secontext} to #{new_resource.file_spec}" do
shell_out!("semanage fcontext -m -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
relabel_files
end
end
end
# Delete if exists
action :delete do
if selinux_disabled?
Chef::Log.warn("Unable to delete SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
if current_file_context
converge_by "deleting label for #{new_resource.file_spec}" do
shell_out!("semanage fcontext -d -f #{new_resource.file_type} '#{new_resource.file_spec}'")
relabel_files
end
end
end

54
cookbooks/selinux/resources/install.rb
View File

@ -1,54 +0,0 @@
#
# Cookbook:: selinux
# Resource:: install
#
# Copyright:: 2016-2021, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
include SELinux::Cookbook::InstallHelpers
property :packages, [String, Array],
default: lazy { default_install_packages },
description: 'SELinux packages for system'
action_class do
def do_package_action(action)
# friendly message for unsupported platforms
raise "The platform #{node['platform']} is not currently supported by the `selinux_install` resource. Please file an issue at https://github.com/sous-chefs/selinux/issues/new with details on the platform this cookbook is running on." if new_resource.packages.nil?
package 'selinux' do
package_name new_resource.packages
action action
end
end
end
action :install do
do_package_action(action)
directory '/etc/selinux' do
owner 'root'
group 'root'
mode '0755'
action :create
end
end
%i(upgrade remove).each do |a|
action a do
do_package_action(a)
end
end

125
cookbooks/selinux/resources/module.rb
View File

@ -1,125 +0,0 @@
#
# Cookbook:: selinux
# Resource:: module
#
# Copyright:: 2016-2021, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
property :module_name, String,
name_property: true,
description: 'Override the module name'
property :source, String,
description: 'Module source file name'
property :content, String,
description: 'Module source as String'
property :cookbook, String,
default: lazy { cookbook_name },
description: 'Cookbook to source from module source file from'
property :base_dir, String,
default: '/etc/selinux/local',
description: 'Directory to create module source file in'
action_class do
def selinux_module_filepath(type)
path = ::File.join(new_resource.base_dir, "#{new_resource.module_name}")
path.concat(".#{type}") if type
end
def list_installed_modules
shell_out!('semodule --list-modules').stdout.split("\n").map { |x| x.split(/\s/).first }
end
end
action :create do
directory new_resource.base_dir
if property_is_set?(:content)
file selinux_module_filepath('te') do
content new_resource.content
mode '0600'
owner 'root'
group 'root'
action :create
notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
end
else
cookbook_file selinux_module_filepath('te') do
cookbook new_resource.cookbook
source new_resource.source
mode '0600'
owner 'root'
group 'root'
action :create
notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
end
end
execute "Compiling SELinux modules at '#{new_resource.base_dir}'" do
cwd new_resource.base_dir
command "make -C #{new_resource.base_dir} -f /usr/share/selinux/devel/Makefile"
timeout 120
user 'root'
action :nothing
notifies :run, "execute[Install SELinux module '#{selinux_module_filepath('pp')}']", :immediately
end
raise "Compilation must have failed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp'))
execute "Install SELinux module '#{selinux_module_filepath('pp')}'" do
command "semodule --install '#{selinux_module_filepath('pp')}'"
action :nothing
end
end
action :delete do
%w(fc if pp te).each do |type|
next unless ::File.exist?(selinux_module_filepath(type))
file selinux_module_filepath(type) do
action :delete
end
end
end
action :install do
raise "Module must be compiled before it can be installed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp'))
unless list_installed_modules.include? new_resource.module_name
converge_by "Install SELinux module #{selinux_module_filepath('pp')}" do
shell_out!("semodule --install '#{selinux_module_filepath('pp')}'")
end
end
end
action :remove do
if list_installed_modules.include? new_resource.module_name
converge_by "Remove SELinux module #{new_resource.module_name}" do
shell_out!("semodule --remove '#{new_resource.module_name}'")
end
end
end

46
cookbooks/selinux/resources/permissive.rb
View File

@ -1,46 +0,0 @@
#
# Cookbook:: selinux
# Resource:: permissive
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :context, String,
name_property: true,
description: 'The SELinux context to permit'
action_class do
def current_permissives
shell_out!('semanage permissive -ln').stdout.split("\n")
end
end
# Create if doesn't exist, do not touch if permissive is already registered (even under different type)
action :add do
unless current_permissives.include? new_resource.context
converge_by "adding permissive context #{new_resource.context}" do
shell_out!("semanage permissive -a '#{new_resource.context}'")
end
end
end
# Delete if exists
action :delete do
if current_permissives.include? new_resource.context
converge_by "deleting permissive context #{new_resource.context}" do
shell_out!("semanage permissive -d '#{new_resource.context}'")
end
end
end

98
cookbooks/selinux/resources/port.rb
View File

@ -1,98 +0,0 @@
#
# Cookbook:: selinux
# Resource:: port
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :port, [Integer, String],
name_property: true,
regex: /^\d+$/,
description: 'Port to modify'
property :protocol, String,
equal_to: %w(tcp udp),
required: %i(manage add modify),
description: 'Protocol to modify'
property :secontext, String,
required: %i(manage add modify),
description: 'SELinux context to assign to the port'
action_class do
include SELinux::Cookbook::StateHelpers
def current_port_context
# use awk to see if the given port is within a reported port range
shell_out!(
<<~CMD
seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
CMD
).stdout.split
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :addormodify do
Chef::Log.warn('The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.')
run_action(:manage)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
if selinux_disabled?
Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if current_port_context.empty?
converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Only modify port if it exists & doesn't have the correct context already
action :modify do
if selinux_disabled?
Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Delete if exists
action :delete do
if selinux_disabled?
Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
return
end
unless current_port_context.empty?
converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
end
end
end

114
cookbooks/selinux/resources/state.rb
View File

@ -1,114 +0,0 @@
#
# Cookbook:: selinux
# Resource:: state
#
# Copyright:: 2016-2021, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
include SELinux::Cookbook::StateHelpers
default_action :nothing
property :config_file, String,
default: '/etc/selinux/config'
property :persistent, [true, false],
default: true,
description: 'Persist status update to the selinux configuration file'
property :policy, String,
default: lazy { default_policy_platform },
equal_to: %w(default minimum mls src strict targeted),
description: 'SELinux policy type'
property :automatic_reboot, [true, false, Symbol],
default: false,
description: 'Perform an automatic node reboot if required for state change'
deprecated_property_alias 'temporary', 'persistent', 'The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name.'
action_class do
include SELinux::Cookbook::StateHelpers
def render_selinux_template(action)
Chef::Log.warn(
'It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.'
) if selinux_disabled? && action == :enforcing
unless new_resource.automatic_reboot
Chef::Log.warn('Changes from disabled require a reboot.') if selinux_disabled? && %i(enforcing permissive).include?(action)
Chef::Log.warn('Disabling selinux requires a reboot.') if (selinux_enforcing? || selinux_permissive?) && action == :disabled
end
template "#{action} selinux config" do
path new_resource.config_file
source 'selinux.erb'
cookbook 'selinux'
variables(
selinux: action.to_s,
selinuxtype: new_resource.policy
)
end
end
def node_selinux_restart
unless new_resource.automatic_reboot
Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.")
return
end
outer_action = action
reboot 'selinux_state_change' do
delay_mins 1
reason "SELinux state change to #{outer_action} from #{selinux_state}"
action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now
end
end
end
action :enforcing do
execute 'selinux-setenforce-enforcing' do
command '/usr/sbin/setenforce 1'
end unless selinux_disabled? || selinux_enforcing?
execute 'debian-selinux-activate' do
command '/usr/sbin/selinux-activate'
end if selinux_activate_required?
render_selinux_template(action) if new_resource.persistent
node_selinux_restart if state_change_reboot_required?
end
action :permissive do
execute 'selinux-setenforce-permissive' do
command '/usr/sbin/setenforce 0'
end unless selinux_disabled? || selinux_permissive?
execute 'debian-selinux-activate' do
command '/usr/sbin/selinux-activate'
end if selinux_activate_required?
render_selinux_template(action) if new_resource.persistent
node_selinux_restart if state_change_reboot_required?
end
action :disabled do
raise 'A non-persistent change to the disabled SELinux status is not possible.' unless new_resource.persistent
render_selinux_template(action)
node_selinux_restart if state_change_reboot_required?
end

18
cookbooks/selinux/templates/debian/selinux.erb
View File

@ -1,18 +0,0 @@
# Generated by Chef for <%= node['fqdn'] %>
# Do NOT modify this file by hand.
#
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=<%= @selinux %>
# SELINUXTYPE= can take one of these three values:
# default - equivalent to the old strict and targeted policies
# mls - Multi-Level Security (for military and educational use)
# src - Custom policy built from source
SELINUXTYPE=<%= @selinuxtype %>
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

15
cookbooks/selinux/templates/default/selinux.erb
View File

@ -1,15 +0,0 @@
# Generated by Chef for <%= node['fqdn'] %>
# Do NOT modify this file by hand.
#
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=<%= @selinux %>
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=<%= @selinuxtype %>

221
cookbooks/selinux_policy/CHANGELOG.md Normal file
View File

@ -0,0 +1,221 @@
# selinux_policy CHANGELOG
This file is used to changes made in each version of the selinux_policy cookbook.
## 2.4.3 (2020-08-07)
- Ship the correct license file since this cookbook was relicensed - [@tas50](https://github.com/tas50)
- Update testing configs - [@tas50](https://github.com/tas50)
- Update the maintainer to be Chef Software - [@tas50](https://github.com/tas50)
## 2.4.2 (2020-08-07)
- Make sure the `setpersist` action runs by default not `set` to match the docs.
## 2.4.1 - 2020-05-14
- resolved cookstyle error: resources/module.rb:26:35 convention: `Layout/TrailingWhitespace`
- resolved cookstyle error: resources/module.rb:26:36 refactor: `ChefModernize/FoodcriticComments`
## [2.4.0] - 2020-02-13
- Fix port_defined helper function for Centos 8 compatibility
- Test fixes
## [2.3.6] - 2020-01-26
- Fix issue on use_selinux function
- Migrate to github actions
- Resolved ChefStyle/ImmediateNotificationTiming: Use :immediately instead of :immediate for resource notification timing notifies
## [2.3.5] - 2019-02-15
- Fix resource failure in permissive.rb Caused by [#96](https://github.com/sous-chefs/selinux_policy/pull/96)
- Migrated testing to circleci
## [2.3.4] - 2019-02-07
- Fix `shell_out` to use an actual shell. Caused by [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
## [2.3.3] - 2019-02-06
- Perform relabel (restorecon) using xargs while still supporting regexes. Fixes [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
## [2.3.2] - 2018-11-29
- Cache which helper method calls
## [2.3.1] - 2018-11-29
- Use `chef/mixin/which` to locate selinux binaries. Fixes [#85](https://github.com/sous-chefs/selinux_policy/issues/85) & [#93](https://github.com/sous-chefs/selinux_policy/issues/93)
## [2.3.0] - 2018-11-27
- Further fixes for the earlier refactoring
- Repair CI jobs
## [2.2.0] - 2018-11-21
- Large refactoring to helpers and resources
- Add RHEL-8 packages
## [2.1.0] - 2018-04-12
- Port definition methods to check for already defined ports
- Cleanup resource cloning
- Deprecate support for Chef 12.x now it's EOL
- Fix Foodcritic warnings & update test platforms
## 2.0.1 - 2017-04-21
- Perform relabel (restorecon) using find to support regexes
## 2.0.0 - 2017-02-23
- This cookbook has been moved to the Sous Chefs org. See sous-chefs.org for more information
- Require Chef 12.1 or later
- Use compat_resource instead of requiring yum
- Don't install yum::dnf_yum_compat on Fedora since Chef has DNF support now
- Don't define attributes in the metadata as these aren't used
- Remove the Vagrantfile
- Add chef_version requirements to the metadata
- Test with ChefDK / Rake in Travis instead of gems
- Resolve Foodcritic, Cookstyle, and Chefspec warnings
## 1.1.1
- [7307850] (Adam Ward) Silence fcontext guard output
- [ad71437] (nitz) Restorecon is now done via shell_out
- [fa30813] (James Le Cuirot) Change yum dependency to ~> 4.0
- [cd9a8da] (nitz) Removed selinux enforcing from kitchen, unified runlists
## 1.1.0
- [daften] Added `file_type` for fcontext
## 1.0.1
- [backslasher] - Foodcritic and rubocop improvements
## 1.0.0
- [equick] - Validating ports better
- [backslasher] - FContext relabling for flies is now immediate. (Possibly breaking)
- [backslasher] - testing made slightly more elegant
## 0.9.6
- [jhmartin] - Updated README
- [backslasher] - Major revision of testing
## 0.9.5
- [backslasher] - Modified yum dependency
## 0.9.4
- [mhorbul] - Fixed state detection in boolean resource
## 0.9.3
- [backlsasher] - Fixed testing & kitchen
- [jbartko] - Added Fedora support
## 0.9.2
- [backslasher] - Ignoring nonexisting files in restorecon
## 0.9.1
- [backslasher] - Fixed issue with module being partially executed on machines with SELinux disabled
## 0.9.0
- [backslasher] - module overhaul: code refactoring, supporting new input, testing, new actions
- [backslasher] - fcontext overhaul: code refactoring, testing, new action
**Note**: I don't think I have any breaking changes here. If there are, I apologise and request that you create an issue with a test recipe that fails on the problem (so I can reproduce)
## 0.8.1
- [backslasher] - Added Travis CI harness
- [backslasher] - Fixed typo in README
## 0.8.0
- [backslasher] - Test overhaul. Now testing is somewhat reliable when using ports
- [backslasher] - Port search is a function
- [backslasher] - Port detection now supports ranges. No possibility to add ranges (yet)
## 0.7.2
- [shortdudey123] - ChefSpec matchers, helps testing
## 0.7.1
- [backslasher] - Forgot contributor
## 0.7.0
- [chewi] - Fixed prereq packages
- [backslasher] - Modified misleading comment
- [chewi] - Move helpers into a cookbook-specific module
- [chewi] - Prevent use_selinux from blowing up on systems without getenforce
## 0.6.5
- [backslasher] - Ubuntu installation warning
## 0.6.4
- [sauraus] - CentOS 7 support
- [sauraus] - Typos
## 0.6.3
- [backslasher] - Readme updates
- [kevans] - Added kitchen testing
## 0.6.2
- [kevans] - Support Chef 11.8.0 running shellout!()
- [backslasher] - Simplified support info
- [backslasher] - ASCIIed files
## 0.6.1
- [backslasher] - Migrated to `only_if` instead of if
- [backslasher] - README typos
## 0.6.0
- [joerg] - Added fcontext resource for managing file contexts under SELinux
## 0.5.0
- [backslasher] - Added RHEL5/derivatives support. Thanks to @knightorc.
- **Cookbook will break on RHEL7\. If anyone experiences this, please check required packages and create an issue/PR**
- [backslasher] - Machines without SELinux are (opionally) supported. Thanks to @knightroc.
## 0.4.0
- [backlasher] - Fixed foodcritic errors
## 0.3.0
- [backlasher] - Fixed `install.rb` syntax. Now it actually works
## 0.2.0
- [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
- [backlasher] - Added permissive resource
## 0.1.0
- [backlasher] - Initial release of selinuxpolicy
[2.3.2]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.1...v2.3.2
[2.3.1]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.0...v2.3.1
[2.3.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.2.0...v2.3.0
[2.2.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.1.0...v2.2.0
[2.1.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.0.1...v2.1.0

4
cookbooks/selinux_policy/CONTRIBUTING.md Normal file
View File

@ -0,0 +1,4 @@
# Contributing
Please refer to
[https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)

209
cookbooks/selinux_policy/README.md Normal file
View File

@ -0,0 +1,209 @@
# selinux_policy Cookbook
[![Cookbook Version](https://img.shields.io/cookbook/v/selinux_policy.svg)](https://supermarket.chef.io/cookbooks/selinux_policy)
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
This cookbook can be used to manage SELinux policies and components (rather than just enable / disable enforcing). I made it because I needed some SELinux settings done, and the `execute`s started to look annoying.
## Requirements
Needs an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute `allow_disabled`), which will generate warnings and do nothing (but won't break the run). Also requires SELinux's management tools, namely `semanage`, `setsebool` and `getsebool`. Tools are installed by the `selinux_policy::install` recipe (for RHEL/Debian and the like).
### Chef Infra Client
- 13 or later
### Platforms
- rhel
- fedora
## Attributes
These attributes affect the way all of the resource behave.
- `node['selinux_policy']['allow_disabled']` - Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail. Defaults to `true`, set to `false` if you don't have any machines with disabled SELinux.
## Usage
- `selinux_policy::install` - Installs SELinux policy management tools
This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook. Remember to add `depends 'selinux_policy'` to your `metadata.rb`.
### boolean
Represents an SELinux [boolean](http://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans). You can either `set` it, meaning it will be changed without persistence (it will revert to default in the next reboot), or `setpersist` it (default action), so it'll keep it value after rebooting. Using `setpersist` requires an active policy (so that the new value can be saved somewhere).
Properties:
- `name`: boolean's name. Defaults to resource name.
- `value`: Its new value (`true`/`false`).
- `force`: Use `setsebool` even if the current value agrees with the requested one.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
selinux_policy_boolean 'httpd_can_network_connect' do
value true
# Make sure nginx is started if this value was modified
notifies :start,'service[nginx]', :immediate
end
```
**Note**: Due to ruby interperting `0` as `true`, using `value 0` is unwise.
### port
Allows assigning a network port to a certain SELinux context. As explained [here](http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388), it can be useful for running Apache on a non-standard port.
Actions:
- `addormodify` (default): Assigns the port to the right context, whether it's already listed another context or not at all.
- `add`: Assigns the port to the right context it's if not listed (only uses `-a`).
- `modify`: Changes the port's context if it's already listed (only uses `-m`).
- `delete`: Removes the port's context if it's listed (uses `-d`).
Properties:
- `port`: The port in question, defaults to resource name.
- `protocol`: `tcp`/`udp`.
- `secontext`: The SELinux context to assign the port to. Unnecessary when using `delete`.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Allow nginx to bind to port 5678, by giving it the http_port_t context
selinux_policy_port '5678' do
protocol 'tcp'
secontext 'http_port_t'
end
```
### module
Manages SEModules
Actions:
- `fetch`: Prepares the module's files for compilation. Allow `remote_directory`-like behavior
- `compile`: Translates a module source directory into a `NAME.pp` file. Uses `make` logic for idempotence.
- `install`: Adds a compiled module (`pp`) to the current policy. Only installs if the module was modified this run, `force` is enabled or it's missing from the current policy. **Note:** I wish I could compare the existing module to the one generated, but the `extract` capability was only added in [Aug 15](https://github.com/SELinuxProject/selinux/commit/65c6325271b54d3de9c17352a57d469dfbd12729). I'll be happy to see a better idea.
- `deploy` (default): Runs `fetch`, `compile`, `install` in that order.
- `remove`: Removes a module.
Properties:
- `name`: The module name. Defaults to resource name.
- `directory`: Directory where module is stored. Defaults to a directory inside the Chef cache.
- `content`: The module content, can be extracted from `audit2allow -m NAME`. This can be used to create simple modules without using external files.
- `directory_source`: Copies files cookbook to the module directory (uses `remote_directory`). Allows keeping all of the module's source files in the cookbook. **Note:** You can pre-create the module directory and populate it in any other way you'd choose.
- `cookbook`: Modifies the source cookbook for the `remote_directory`.
- `force`: Installs the module even if it seems fine. Ruins idempotence but should help solve some weird cases.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Allow openvpn to write/delete in '/etc/openvpn'
selinux_policy_module 'openvpn-googleauthenticator' do
content <<-eos
module dy-openvpn-googleauthenticator 1.0;
require {
type openvpn_t;
type openvpn_etc_t;
class file { write unlink };
}
#============= openvpn_t ==============
allow openvpn_t openvpn_etc_t:file { write unlink };
eos
action :deploy
end
```
### fcontext
Allows managing the SELinux context of files. This can be used to grant SELinux-protected daemons access to additional / moved files.
Actions:
- `addormodify` (default): Assigns the file regexp to the right context, whether it's already listed another context or not at all.
- `add`: Assigns the file regexp to the right context it's if not listed (only uses -a).
- `modify`: Changes the file regexp context if it's already listed (only uses -m).
- `delete`: Removes the file regexp context if it's listed (uses -d).
Properties:
- `file_spec`: This is the file regexp in question, defaults to resource name.
- `secontext`: The SELinux context to assign the file regexp to. Not required for `:delete`
- `file_type`: Restrict the fcontext to specific file types. See the table below for an overview. See also <https://en.wikipedia.org/wiki/Unix_file_types> for more info
- **a** All files
- **f** Regular files
- **d** Directory
- **c** Character device
- **b** Block device
- **s** Socket
- **l** Symbolic link
- **p** Namedpipe
Example usage (see mysql cookbook for example daemons ):
```ruby
include_recipe 'selinux_policy::install'
# Allow http servers (nginx/apache) to modify moodle files
selinux_policy_fcontext '/var/www/moodle(/.*)?' do
secontext 'httpd_sys_rw_content_t'
end
# Allow a custom mysql daemon to access its files.
{'mysqld_etc_t' => "/etc/mysql-#{service_name}(/.*)?",
'mysqld_etc_t' => "/etc/mysql-#{service_name}/my\.cnf",
'mysqld_log_t' => "/var/log/mysql-#{service_name}(/.*)?",
'mysqld_db_t' => "/opt/mysql_data_#{service_name}(/.*)?",
'mysqld_var_run_t' => "/var/run/mysql-#{service_name}(/.*)?",
'mysqld_initrc_exec_t' => "/etc/rc\.d/init\.d/mysql-#{service_name}"}.each do |sc, f|
selinux_policy_fcontext f do
secontext sc
end
end
# Adapt a symbolic link
selinux_policy_fcontext '/var/www/symlink_to_webroot' do
secontext 'httpd_sys_rw_content_t'
filetype 'l'
end
```
### permissive
Allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.
Actions:
- `add`: Adds a permissive, unless it's already added
- `delete`: Deletes a permissive if it's listed
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Disable enforcement on Nginx
# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
selinux_policy_permissive 'nginx' do
notifies :restart, 'service[nginx]'
end
```
## Original Author
[Nitzan Raz](https://github.com/BackSlasher) ([backslasher](http://backslasher.net))

108
cookbooks/selinux_policy/libraries/helpers.rb Normal file
View File

@ -0,0 +1,108 @@
class Chef
module SELinuxPolicy
module Helpers
require 'chef/mixin/shell_out'
include Chef::Mixin::ShellOut
# Checks if SELinux is disabled or otherwise unavailable and
# whether we're allowed to run when disabled
def use_selinux(allow_disabled)
begin
getenforce = shell_out!(getenforce_cmd)
rescue
selinux_disabled = true
else
selinux_disabled = getenforce.stdout =~ /disabled/i
end
# return false only when SELinux is disabled and it's allowed
return_val = !selinux_disabled || !(selinux_disabled && allow_disabled)
Chef::Log.warn('SELinux is disabled / unreachable, skipping') unless return_val
return_val
end
def sebool(new_resource, persist = false)
persist_string = persist ? '-P ' : ''
new_value = new_resource.value ? 'on' : 'off'
execute "selinux-setbool-#{new_resource.name}-#{new_value}" do
command "#{setsebool_cmd} #{persist_string} #{new_resource.name} #{new_value}"
not_if "#{getsebool_cmd} #{new_resource.name} | grep '#{new_value}$' >/dev/null" unless new_resource.force
only_if { use_selinux(new_resource.allow_disabled) }
end
end
def module_defined(name)
"#{semodule_cmd} -l | grep -w '^#{name}'"
end
def shell_boolean(expression)
expression ? 'true' : 'false'
end
def port_defined(protocol, port, label = nil)
base_command = "seinfo --portcon=#{port} | grep 'portcon #{protocol}' | awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'"
grep = if label
"grep -P '#{Regexp.escape(label)}'"
else
'grep -q ^'
end
"#{base_command} | #{grep}"
end
def validate_port(port)
raise ArgumentError, "port value: #{port} is invalid." unless port.to_s =~ /^\d+$/
end
def fcontext_defined(file_spec, file_type, label = nil)
file_hash = {
'a' => 'all files',
'f' => 'regular file',
'd' => 'directory',
'c' => 'character device',
'b' => 'block device',
's' => 'socket',
'l' => 'symbolic link',
'p' => 'named pipe',
}
label_matcher = label ? "system_u:object_r:#{Regexp.escape(label)}:s0\\s*$" : ''
"#{semanage_cmd} fcontext -l | grep -qP '^#{Regexp.escape(file_spec)}\\s+#{Regexp.escape(file_hash[file_type])}\\s+#{label_matcher}'"
end
def semanage_options(file_type)
# Set options for file_type
if node['platform_family'].include?('rhel') && Chef::VersionConstraint.new('< 7.0').include?(node['platform_version'])
case file_type
when 'a' then '-f ""'
when 'f' then '-f --'
else; "-f -#{file_type}"
end
else
"-f #{file_type}"
end
end
require 'chef/mixin/which'
include Chef::Mixin::Which
def setsebool_cmd
@setsebool_cmd ||= which('setsebool')
end
def getsebool_cmd
@getsebool_cmd ||= which('getsebool')
end
def getenforce_cmd
@getenforce_cmd ||= which('getenforce')
end
def semanage_cmd
@semanage_cmd ||= which('semanage')
end
def semodule_cmd
@semodule_cmd ||= which('semodule')
end
end
end
end

1
cookbooks/selinux_policy/metadata.json Normal file
View File

@ -0,0 +1 @@
{"name":"selinux_policy","version":"2.4.3","description":"Manages SELinux policy components","long_description":"","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"redhat":">= 0.0.0","centos":">= 0.0.0","fedora":">= 0.0.0","ubuntu":">= 0.0.0","debian":">= 0.0.0","amazon":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/sous-chefs/selinux_policy","issues_url":"https://github.com/sous-chefs/selinux_policy/issues","chef_version":[[">= 13.0"]],"ohai_version":[]}

16
cookbooks/selinux_policy/metadata.rb Normal file
View File

@ -0,0 +1,16 @@
name 'selinux_policy'
maintainer 'Chef Software, Inc.'
maintainer_email 'cookbooks@chef.io'
license 'Apache-2.0'
description 'Manages SELinux policy components'
source_url 'https://github.com/sous-chefs/selinux_policy'
issues_url 'https://github.com/sous-chefs/selinux_policy/issues'
chef_version '>= 13.0'
version '2.4.3'
supports 'redhat'
supports 'centos'
supports 'fedora'
supports 'ubuntu'
supports 'debian'
supports 'amazon'

1
cookbooks/selinux_policy/recipes/default.rb Normal file
View File

@ -0,0 +1 @@
# Nothing here

1
cookbooks/selinux_policy/recipes/install.rb Normal file
View File

@ -0,0 +1 @@
selinux_policy_install 'install'

19
cookbooks/selinux_policy/resources/boolean.rb Normal file
View File

@ -0,0 +1,19 @@
# A resource for managing SELinux Booleans
property :value, [true, false]
property :force, [true, false], default: false
property :allow_disabled, [true, false], default: true
# Set and persist
action :setpersist do
sebool(new_resource, true)
end
# Set for now, without persisting
action :set do
sebool(new_resource, false)
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

71
cookbooks/selinux_policy/resources/fcontext.rb Normal file
View File

@ -0,0 +1,71 @@
# Manages file specs in SELinux
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
property :file_spec, String, name_property: true
property :secontext, String
property :file_type, String, default: 'a', equal_to: %w(a f d c b s l p)
property :allow_disabled, [true, false], default: true
action :addormodify do
run_action(:add)
run_action(:modify)
end
# Run restorecon to fix label
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
action :relabel do
converge_by 'relabel' do
spec = new_resource.file_spec
escaped = Regexp.escape spec
common =
if spec == escaped
spec
else
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
::File.dirname spec[0...index]
end
# Just in case the spec is very weird...
common = '/' if common[0] != '/'
if ::File.exist? common
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 2>/dev/null | xargs -0 restorecon -iRv")
end
end
end
# Create if doesn't exist, do not touch if fcontext is already registered
action :add do
execute "selinux-fcontext-#{new_resource.secontext}-add" do
command "#{semanage_cmd} fcontext -a #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
only_if { use_selinux(new_resource.allow_disabled) }
notifies :relabel, new_resource, :immediately
end
end
# Delete if exists
action :delete do
execute "selinux-fcontext-#{new_resource.secontext}-delete" do
command "#{semanage_cmd} fcontext #{semanage_options(new_resource.file_type)} -d '#{new_resource.file_spec}'"
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
only_if { use_selinux(new_resource.allow_disabled) }
notifies :relabel, new_resource, :immediately
end
end
action :modify do
execute "selinux-fcontext-#{new_resource.secontext}-modify" do
command "#{semanage_cmd} fcontext -m #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
only_if { use_selinux(new_resource.allow_disabled) }
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
notifies :relabel, new_resource, :immediately
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
include Chef::Mixin::Which
end

32
cookbooks/selinux_policy/resources/install.rb Normal file
View File

@ -0,0 +1,32 @@
property :allow_disabled, [true, false], default: true
action :install do
case node['platform_family']
when 'debian'
raise 'Install SELinux manually on Ubuntu. See https://wiki.ubuntu.com/SELinux' if platform?('ubuntu')
execute 'selinux-activate' do
action :nothing
end
package %w(selinux-policy-default selinux-basics auditd) do
notifies :run, 'execute[selinux-activate]', :immediately
end
when 'rhel'
case node['platform_version'].to_i
when 6
package %w(policycoreutils-python selinux-policy setools-console make)
when 7
package %w(policycoreutils-python selinux-policy-devel setools-console make)
when 8
package %w(policycoreutils-python-utils selinux-policy-devel setools-console make)
else
raise 'Unknown version of RHEL/derivative, cannot determine required package names'
end
when 'fedora'
package %w(policycoreutils-python selinux-policy-devel setools-console make)
else
raise 'Unknown distro, cannot determine required package names'
end
end

75
cookbooks/selinux_policy/resources/module.rb Normal file
View File

@ -0,0 +1,75 @@
# A resource for managing SE modules
property :module_name, String, name_property: true
property :force, [true, false], default: false
property :directory, String, default: lazy { "#{Chef::Config[:file_cache_path]}/#{module_name}" } # content to work with. Defaults to autogenerated name in the Chef cache. Can be provided and pre-populated
# Content options:
property :content, String # provide a 'te' file directly. Optional
property :directory_source, String # Source directory for module source code. If specified, will use "remote_directory" on the directory specified as `directory`
property :cookbook, String # Related to directory
property :allow_disabled, [true, false], default: true
action :deploy do
run_action(:fetch)
run_action(:compile)
run_action(:install)
end
# Get all the components in the right place
action :fetch do
directory new_resource.directory do
only_if { use_selinux(new_resource.allow_disabled) }
end
raise 'dont specify both directory_source and content' if new_resource.directory_source && new_resource.content
if new_resource.directory_source
remote_directory new_resource.directory do
source new_resource.directory_source
cookbook new_resource.cookbook
only_if { use_selinux(new_resource.allow_disabled) }
end
end
if new_resource.content
file "#{new_resource.directory}/#{new_resource.module_name}.te" do
content new_resource.content
only_if { use_selinux(new_resource.allow_disabled) }
end
end
end
action :compile do
make_command = "/usr/bin/make -f /usr/share/selinux/devel/Makefile #{new_resource.module_name}.pp"
execute "semodule-compile-#{new_resource.module_name}" do
command make_command
not_if "#{make_command} -q", cwd: new_resource.directory # $? = 1 means make wants to execute http://www.gnu.org/software/make/manual/html_node/Running.html
only_if { use_selinux(new_resource.allow_disabled) }
cwd new_resource.directory
end
end
# deploy / upgrade module
# XXX this looks ugly because CentOS 6.X doesn't support extracting
# SELinux modules from the current policy, which I planned on comparing
# to my compiled file. I'll be happy to see anything else (that works).
action :install do
filename = "#{new_resource.directory}/#{new_resource.module_name}.pp"
execute "semodule-install-#{new_resource.module_name}" do
command "#{semodule_cmd} -i #{filename}"
only_if "#{shell_boolean(new_resource.updated_by_last_action? || new_resource.force)} || ! (#{module_defined(new_resource.module_name)}) "
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action :remove do
execute "semodule-remove-#{new_resource.module_name}" do
command "#{semodule_cmd} -r #{new_resource.module_name}"
only_if module_defined(new_resource.module_name)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

25
cookbooks/selinux_policy/resources/permissive.rb Normal file
View File

@ -0,0 +1,25 @@
# a resource for managing selinux permissive contexts
property :allow_disabled, [true, false], default: true
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
execute "selinux-permissive-#{new_resource.name}-add" do
command "#{semanage_cmd} permissive -a '#{new_resource.name}'"
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
only_if { use_selinux(new_resource.allow_disabled) }
end
end
# Delete if exists
action :delete do
execute "selinux-port-#{new_resource.name}-delete" do
command "#{semanage_cmd} permissive -d '#{new_resource.name}'"
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

50
cookbooks/selinux_policy/resources/port.rb Normal file
View File

@ -0,0 +1,50 @@
# Manages a port assignment in SELinux
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
property :port, [Integer, String], name_property: true
property :protocol, String, equal_to: %w(tcp udp)
property :secontext, String
property :allow_disabled, [true, false], default: true
action :addormodify do
# TODO: We can be a bit more clever here, and try to detect if it's already
# there then modify
# Try to add new port
run_action(:add)
# Try to modify existing port
run_action(:modify)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
validate_port(new_resource.port)
execute "selinux-port-#{new_resource.port}-add" do
command "#{semanage_cmd} port -a -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
not_if port_defined(new_resource.protocol, new_resource.port)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
# Delete if exists
action :delete do
validate_port(new_resource.port)
execute "selinux-port-#{new_resource.port}-delete" do
command "#{semanage_cmd} port -d -p #{new_resource.protocol} #{new_resource.port}"
only_if port_defined(new_resource.protocol, new_resource.port)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action :modify do
execute "selinux-port-#{new_resource.port}-modify" do
command "#{semanage_cmd} port -m -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
only_if port_defined(new_resource.protocol, new_resource.port)
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

15
nodes/bitcoin-2.json
View File

@ -13,7 +13,8 @@
"ipaddress": "192.168.122.148",
"roles": [
"btcpay",
"postgresql_client"
"postgresql_client",
"redis_local"
],
"recipes": [
"kosmos-base",
@ -26,8 +27,9 @@
"kosmos-bitcoin::dotnet",
"kosmos-bitcoin::nbxplorer",
"kosmos-bitcoin::btcpay",
"tor-full",
"tor-full::default",
"redisio",
"redisio::default",
"redisio::enable",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
@ -62,6 +64,11 @@
"nginx::commons_script",
"nginx::commons_conf",
"kosmos-nginx::firewall",
"redisio::_install_prereqs",
"redisio::install",
"ulimit::default",
"redisio::disable_os_default",
"redisio::configure",
"kosmos-base::letsencrypt"
],
"platform": "ubuntu",
@ -85,6 +92,6 @@
"recipe[kosmos-bitcoin::lnd]",
"recipe[kosmos-bitcoin::rtl]",
"role[btcpay]",
"recipe[tor-full]"
"role[redis_local]"
]
}

8
roles/redis_local.rb Normal file
View File

@ -0,0 +1,8 @@
name "redis_local"
run_list %w(
redisio::default
redisio::enable
)
default_attributes({})