kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Use older Redis cookbook, install on bitcoin-2

Browse Source
This commit is contained in:
Basti
2021-11-16 14:11:42 -06:00
parent 18f65c4fc5
commit 4b9183d78d
59 changed files with 886 additions and 1639 deletions
Download Patch File Download Diff File Expand all files Collapse all files

221
cookbooks/selinux_policy/CHANGELOG.md Normal file
View File

@@ -0,0 +1,221 @@
# selinux_policy CHANGELOG
This file is used to changes made in each version of the selinux_policy cookbook.
## 2.4.3 (2020-08-07)
- Ship the correct license file since this cookbook was relicensed - [@tas50](https://github.com/tas50)
- Update testing configs - [@tas50](https://github.com/tas50)
- Update the maintainer to be Chef Software - [@tas50](https://github.com/tas50)
## 2.4.2 (2020-08-07)
- Make sure the `setpersist` action runs by default not `set` to match the docs.
## 2.4.1 - 2020-05-14
- resolved cookstyle error: resources/module.rb:26:35 convention: `Layout/TrailingWhitespace`
- resolved cookstyle error: resources/module.rb:26:36 refactor: `ChefModernize/FoodcriticComments`
## [2.4.0] - 2020-02-13
- Fix port_defined helper function for Centos 8 compatibility
- Test fixes
## [2.3.6] - 2020-01-26
- Fix issue on use_selinux function
- Migrate to github actions
- Resolved ChefStyle/ImmediateNotificationTiming: Use :immediately instead of :immediate for resource notification timing notifies
## [2.3.5] - 2019-02-15
- Fix resource failure in permissive.rb Caused by [#96](https://github.com/sous-chefs/selinux_policy/pull/96)
- Migrated testing to circleci
## [2.3.4] - 2019-02-07
- Fix `shell_out` to use an actual shell. Caused by [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
## [2.3.3] - 2019-02-06
- Perform relabel (restorecon) using xargs while still supporting regexes. Fixes [#88](https://github.com/sous-chefs/selinux_policy/issues/88)
## [2.3.2] - 2018-11-29
- Cache which helper method calls
## [2.3.1] - 2018-11-29
- Use `chef/mixin/which` to locate selinux binaries. Fixes [#85](https://github.com/sous-chefs/selinux_policy/issues/85) & [#93](https://github.com/sous-chefs/selinux_policy/issues/93)
## [2.3.0] - 2018-11-27
- Further fixes for the earlier refactoring
- Repair CI jobs
## [2.2.0] - 2018-11-21
- Large refactoring to helpers and resources
- Add RHEL-8 packages
## [2.1.0] - 2018-04-12
- Port definition methods to check for already defined ports
- Cleanup resource cloning
- Deprecate support for Chef 12.x now it's EOL
- Fix Foodcritic warnings & update test platforms
## 2.0.1 - 2017-04-21
- Perform relabel (restorecon) using find to support regexes
## 2.0.0 - 2017-02-23
- This cookbook has been moved to the Sous Chefs org. See sous-chefs.org for more information
- Require Chef 12.1 or later
- Use compat_resource instead of requiring yum
- Don't install yum::dnf_yum_compat on Fedora since Chef has DNF support now
- Don't define attributes in the metadata as these aren't used
- Remove the Vagrantfile
- Add chef_version requirements to the metadata
- Test with ChefDK / Rake in Travis instead of gems
- Resolve Foodcritic, Cookstyle, and Chefspec warnings
## 1.1.1
- [7307850] (Adam Ward) Silence fcontext guard output
- [ad71437] (nitz) Restorecon is now done via shell_out
- [fa30813] (James Le Cuirot) Change yum dependency to ~> 4.0
- [cd9a8da] (nitz) Removed selinux enforcing from kitchen, unified runlists
## 1.1.0
- [daften] Added `file_type` for fcontext
## 1.0.1
- [backslasher] - Foodcritic and rubocop improvements
## 1.0.0
- [equick] - Validating ports better
- [backslasher] - FContext relabling for flies is now immediate. (Possibly breaking)
- [backslasher] - testing made slightly more elegant
## 0.9.6
- [jhmartin] - Updated README
- [backslasher] - Major revision of testing
## 0.9.5
- [backslasher] - Modified yum dependency
## 0.9.4
- [mhorbul] - Fixed state detection in boolean resource
## 0.9.3
- [backlsasher] - Fixed testing & kitchen
- [jbartko] - Added Fedora support
## 0.9.2
- [backslasher] - Ignoring nonexisting files in restorecon
## 0.9.1
- [backslasher] - Fixed issue with module being partially executed on machines with SELinux disabled
## 0.9.0
- [backslasher] - module overhaul: code refactoring, supporting new input, testing, new actions
- [backslasher] - fcontext overhaul: code refactoring, testing, new action
**Note**: I don't think I have any breaking changes here. If there are, I apologise and request that you create an issue with a test recipe that fails on the problem (so I can reproduce)
## 0.8.1
- [backslasher] - Added Travis CI harness
- [backslasher] - Fixed typo in README
## 0.8.0
- [backslasher] - Test overhaul. Now testing is somewhat reliable when using ports
- [backslasher] - Port search is a function
- [backslasher] - Port detection now supports ranges. No possibility to add ranges (yet)
## 0.7.2
- [shortdudey123] - ChefSpec matchers, helps testing
## 0.7.1
- [backslasher] - Forgot contributor
## 0.7.0
- [chewi] - Fixed prereq packages
- [backslasher] - Modified misleading comment
- [chewi] - Move helpers into a cookbook-specific module
- [chewi] - Prevent use_selinux from blowing up on systems without getenforce
## 0.6.5
- [backslasher] - Ubuntu installation warning
## 0.6.4
- [sauraus] - CentOS 7 support
- [sauraus] - Typos
## 0.6.3
- [backslasher] - Readme updates
- [kevans] - Added kitchen testing
## 0.6.2
- [kevans] - Support Chef 11.8.0 running shellout!()
- [backslasher] - Simplified support info
- [backslasher] - ASCIIed files
## 0.6.1
- [backslasher] - Migrated to `only_if` instead of if
- [backslasher] - README typos
## 0.6.0
- [joerg] - Added fcontext resource for managing file contexts under SELinux
## 0.5.0
- [backslasher] - Added RHEL5/derivatives support. Thanks to @knightorc.
- **Cookbook will break on RHEL7\. If anyone experiences this, please check required packages and create an issue/PR**
- [backslasher] - Machines without SELinux are (opionally) supported. Thanks to @knightroc.
## 0.4.0
- [backlasher] - Fixed foodcritic errors
## 0.3.0
- [backlasher] - Fixed `install.rb` syntax. Now it actually works
## 0.2.0
- [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
- [backlasher] - Added permissive resource
## 0.1.0
- [backlasher] - Initial release of selinuxpolicy
[2.3.2]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.1...v2.3.2
[2.3.1]: https://github.com/sous-chefs/selinux_policy/compare/v2.3.0...v2.3.1
[2.3.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.2.0...v2.3.0
[2.2.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.1.0...v2.2.0
[2.1.0]: https://github.com/sous-chefs/selinux_policy/compare/v2.0.1...v2.1.0

4
cookbooks/selinux_policy/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,4 @@
# Contributing
Please refer to
[https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)

209
cookbooks/selinux_policy/README.md Normal file
View File

@@ -0,0 +1,209 @@
# selinux_policy Cookbook
[![Cookbook Version](https://img.shields.io/cookbook/v/selinux_policy.svg)](https://supermarket.chef.io/cookbooks/selinux_policy)
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
This cookbook can be used to manage SELinux policies and components (rather than just enable / disable enforcing). I made it because I needed some SELinux settings done, and the `execute`s started to look annoying.
## Requirements
Needs an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute `allow_disabled`), which will generate warnings and do nothing (but won't break the run). Also requires SELinux's management tools, namely `semanage`, `setsebool` and `getsebool`. Tools are installed by the `selinux_policy::install` recipe (for RHEL/Debian and the like).
### Chef Infra Client
- 13 or later
### Platforms
- rhel
- fedora
## Attributes
These attributes affect the way all of the resource behave.
- `node['selinux_policy']['allow_disabled']` - Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail. Defaults to `true`, set to `false` if you don't have any machines with disabled SELinux.
## Usage
- `selinux_policy::install` - Installs SELinux policy management tools
This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook. Remember to add `depends 'selinux_policy'` to your `metadata.rb`.
### boolean
Represents an SELinux [boolean](http://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans). You can either `set` it, meaning it will be changed without persistence (it will revert to default in the next reboot), or `setpersist` it (default action), so it'll keep it value after rebooting. Using `setpersist` requires an active policy (so that the new value can be saved somewhere).
Properties:
- `name`: boolean's name. Defaults to resource name.
- `value`: Its new value (`true`/`false`).
- `force`: Use `setsebool` even if the current value agrees with the requested one.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
selinux_policy_boolean 'httpd_can_network_connect' do
value true
# Make sure nginx is started if this value was modified
notifies :start,'service[nginx]', :immediate
end
```
**Note**: Due to ruby interperting `0` as `true`, using `value 0` is unwise.
### port
Allows assigning a network port to a certain SELinux context. As explained [here](http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388), it can be useful for running Apache on a non-standard port.
Actions:
- `addormodify` (default): Assigns the port to the right context, whether it's already listed another context or not at all.
- `add`: Assigns the port to the right context it's if not listed (only uses `-a`).
- `modify`: Changes the port's context if it's already listed (only uses `-m`).
- `delete`: Removes the port's context if it's listed (uses `-d`).
Properties:
- `port`: The port in question, defaults to resource name.
- `protocol`: `tcp`/`udp`.
- `secontext`: The SELinux context to assign the port to. Unnecessary when using `delete`.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Allow nginx to bind to port 5678, by giving it the http_port_t context
selinux_policy_port '5678' do
protocol 'tcp'
secontext 'http_port_t'
end
```
### module
Manages SEModules
Actions:
- `fetch`: Prepares the module's files for compilation. Allow `remote_directory`-like behavior
- `compile`: Translates a module source directory into a `NAME.pp` file. Uses `make` logic for idempotence.
- `install`: Adds a compiled module (`pp`) to the current policy. Only installs if the module was modified this run, `force` is enabled or it's missing from the current policy. **Note:** I wish I could compare the existing module to the one generated, but the `extract` capability was only added in [Aug 15](https://github.com/SELinuxProject/selinux/commit/65c6325271b54d3de9c17352a57d469dfbd12729). I'll be happy to see a better idea.
- `deploy` (default): Runs `fetch`, `compile`, `install` in that order.
- `remove`: Removes a module.
Properties:
- `name`: The module name. Defaults to resource name.
- `directory`: Directory where module is stored. Defaults to a directory inside the Chef cache.
- `content`: The module content, can be extracted from `audit2allow -m NAME`. This can be used to create simple modules without using external files.
- `directory_source`: Copies files cookbook to the module directory (uses `remote_directory`). Allows keeping all of the module's source files in the cookbook. **Note:** You can pre-create the module directory and populate it in any other way you'd choose.
- `cookbook`: Modifies the source cookbook for the `remote_directory`.
- `force`: Installs the module even if it seems fine. Ruins idempotence but should help solve some weird cases.
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Allow openvpn to write/delete in '/etc/openvpn'
selinux_policy_module 'openvpn-googleauthenticator' do
content <<-eos
module dy-openvpn-googleauthenticator 1.0;
require {
type openvpn_t;
type openvpn_etc_t;
class file { write unlink };
}
#============= openvpn_t ==============
allow openvpn_t openvpn_etc_t:file { write unlink };
eos
action :deploy
end
```
### fcontext
Allows managing the SELinux context of files. This can be used to grant SELinux-protected daemons access to additional / moved files.
Actions:
- `addormodify` (default): Assigns the file regexp to the right context, whether it's already listed another context or not at all.
- `add`: Assigns the file regexp to the right context it's if not listed (only uses -a).
- `modify`: Changes the file regexp context if it's already listed (only uses -m).
- `delete`: Removes the file regexp context if it's listed (uses -d).
Properties:
- `file_spec`: This is the file regexp in question, defaults to resource name.
- `secontext`: The SELinux context to assign the file regexp to. Not required for `:delete`
- `file_type`: Restrict the fcontext to specific file types. See the table below for an overview. See also <https://en.wikipedia.org/wiki/Unix_file_types> for more info
- **a** All files
- **f** Regular files
- **d** Directory
- **c** Character device
- **b** Block device
- **s** Socket
- **l** Symbolic link
- **p** Namedpipe
Example usage (see mysql cookbook for example daemons ):
```ruby
include_recipe 'selinux_policy::install'
# Allow http servers (nginx/apache) to modify moodle files
selinux_policy_fcontext '/var/www/moodle(/.*)?' do
secontext 'httpd_sys_rw_content_t'
end
# Allow a custom mysql daemon to access its files.
{'mysqld_etc_t' => "/etc/mysql-#{service_name}(/.*)?",
'mysqld_etc_t' => "/etc/mysql-#{service_name}/my\.cnf",
'mysqld_log_t' => "/var/log/mysql-#{service_name}(/.*)?",
'mysqld_db_t' => "/opt/mysql_data_#{service_name}(/.*)?",
'mysqld_var_run_t' => "/var/run/mysql-#{service_name}(/.*)?",
'mysqld_initrc_exec_t' => "/etc/rc\.d/init\.d/mysql-#{service_name}"}.each do |sc, f|
selinux_policy_fcontext f do
secontext sc
end
end
# Adapt a symbolic link
selinux_policy_fcontext '/var/www/symlink_to_webroot' do
secontext 'httpd_sys_rw_content_t'
filetype 'l'
end
```
### permissive
Allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.
Actions:
- `add`: Adds a permissive, unless it's already added
- `delete`: Deletes a permissive if it's listed
Example usage:
```ruby
include_recipe 'selinux_policy::install'
# Disable enforcement on Nginx
# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
selinux_policy_permissive 'nginx' do
notifies :restart, 'service[nginx]'
end
```
## Original Author
[Nitzan Raz](https://github.com/BackSlasher) ([backslasher](http://backslasher.net))

108
cookbooks/selinux_policy/libraries/helpers.rb Normal file
View File

@@ -0,0 +1,108 @@
class Chef
module SELinuxPolicy
module Helpers
require 'chef/mixin/shell_out'
include Chef::Mixin::ShellOut
# Checks if SELinux is disabled or otherwise unavailable and
# whether we're allowed to run when disabled
def use_selinux(allow_disabled)
begin
getenforce = shell_out!(getenforce_cmd)
rescue
selinux_disabled = true
else
selinux_disabled = getenforce.stdout =~ /disabled/i
end
# return false only when SELinux is disabled and it's allowed
return_val = !selinux_disabled || !(selinux_disabled && allow_disabled)
Chef::Log.warn('SELinux is disabled / unreachable, skipping') unless return_val
return_val
end
def sebool(new_resource, persist = false)
persist_string = persist ? '-P ' : ''
new_value = new_resource.value ? 'on' : 'off'
execute "selinux-setbool-#{new_resource.name}-#{new_value}" do
command "#{setsebool_cmd} #{persist_string} #{new_resource.name} #{new_value}"
not_if "#{getsebool_cmd} #{new_resource.name} | grep '#{new_value}$' >/dev/null" unless new_resource.force
only_if { use_selinux(new_resource.allow_disabled) }
end
end
def module_defined(name)
"#{semodule_cmd} -l | grep -w '^#{name}'"
end
def shell_boolean(expression)
expression ? 'true' : 'false'
end
def port_defined(protocol, port, label = nil)
base_command = "seinfo --portcon=#{port} | grep 'portcon #{protocol}' | awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'"
grep = if label
"grep -P '#{Regexp.escape(label)}'"
else
'grep -q ^'
end
"#{base_command} | #{grep}"
end
def validate_port(port)
raise ArgumentError, "port value: #{port} is invalid." unless port.to_s =~ /^\d+$/
end
def fcontext_defined(file_spec, file_type, label = nil)
file_hash = {
'a' => 'all files',
'f' => 'regular file',
'd' => 'directory',
'c' => 'character device',
'b' => 'block device',
's' => 'socket',
'l' => 'symbolic link',
'p' => 'named pipe',
}
label_matcher = label ? "system_u:object_r:#{Regexp.escape(label)}:s0\\s*$" : ''
"#{semanage_cmd} fcontext -l | grep -qP '^#{Regexp.escape(file_spec)}\\s+#{Regexp.escape(file_hash[file_type])}\\s+#{label_matcher}'"
end
def semanage_options(file_type)
# Set options for file_type
if node['platform_family'].include?('rhel') && Chef::VersionConstraint.new('< 7.0').include?(node['platform_version'])
case file_type
when 'a' then '-f ""'
when 'f' then '-f --'
else; "-f -#{file_type}"
end
else
"-f #{file_type}"
end
end
require 'chef/mixin/which'
include Chef::Mixin::Which
def setsebool_cmd
@setsebool_cmd ||= which('setsebool')
end
def getsebool_cmd
@getsebool_cmd ||= which('getsebool')
end
def getenforce_cmd
@getenforce_cmd ||= which('getenforce')
end
def semanage_cmd
@semanage_cmd ||= which('semanage')
end
def semodule_cmd
@semodule_cmd ||= which('semodule')
end
end
end
end

1
cookbooks/selinux_policy/metadata.json Normal file
View File

@@ -0,0 +1 @@
{"name":"selinux_policy","version":"2.4.3","description":"Manages SELinux policy components","long_description":"","maintainer":"Chef Software, Inc.","maintainer_email":"cookbooks@chef.io","license":"Apache-2.0","platforms":{"redhat":">= 0.0.0","centos":">= 0.0.0","fedora":">= 0.0.0","ubuntu":">= 0.0.0","debian":">= 0.0.0","amazon":">= 0.0.0"},"dependencies":{},"recommendations":{},"suggestions":{},"conflicting":{},"providing":{},"replacing":{},"attributes":{},"groupings":{},"recipes":{},"source_url":"https://github.com/sous-chefs/selinux_policy","issues_url":"https://github.com/sous-chefs/selinux_policy/issues","chef_version":[[">= 13.0"]],"ohai_version":[]}

16
cookbooks/selinux_policy/metadata.rb Normal file
View File

@@ -0,0 +1,16 @@
name 'selinux_policy'
maintainer 'Chef Software, Inc.'
maintainer_email 'cookbooks@chef.io'
license 'Apache-2.0'
description 'Manages SELinux policy components'
source_url 'https://github.com/sous-chefs/selinux_policy'
issues_url 'https://github.com/sous-chefs/selinux_policy/issues'
chef_version '>= 13.0'
version '2.4.3'
supports 'redhat'
supports 'centos'
supports 'fedora'
supports 'ubuntu'
supports 'debian'
supports 'amazon'

1
cookbooks/selinux_policy/recipes/default.rb Normal file
View File

@@ -0,0 +1 @@
# Nothing here

1
cookbooks/selinux_policy/recipes/install.rb Normal file
View File

@@ -0,0 +1 @@
selinux_policy_install 'install'

19
cookbooks/selinux_policy/resources/boolean.rb Normal file
View File

@@ -0,0 +1,19 @@
# A resource for managing SELinux Booleans
property :value, [true, false]
property :force, [true, false], default: false
property :allow_disabled, [true, false], default: true
# Set and persist
action :setpersist do
sebool(new_resource, true)
end
# Set for now, without persisting
action :set do
sebool(new_resource, false)
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

71
cookbooks/selinux_policy/resources/fcontext.rb Normal file
View File

@@ -0,0 +1,71 @@
# Manages file specs in SELinux
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
property :file_spec, String, name_property: true
property :secontext, String
property :file_type, String, default: 'a', equal_to: %w(a f d c b s l p)
property :allow_disabled, [true, false], default: true
action :addormodify do
run_action(:add)
run_action(:modify)
end
# Run restorecon to fix label
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
action :relabel do
converge_by 'relabel' do
spec = new_resource.file_spec
escaped = Regexp.escape spec
common =
if spec == escaped
spec
else
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
::File.dirname spec[0...index]
end
# Just in case the spec is very weird...
common = '/' if common[0] != '/'
if ::File.exist? common
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 2>/dev/null | xargs -0 restorecon -iRv")
end
end
end
# Create if doesn't exist, do not touch if fcontext is already registered
action :add do
execute "selinux-fcontext-#{new_resource.secontext}-add" do
command "#{semanage_cmd} fcontext -a #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
only_if { use_selinux(new_resource.allow_disabled) }
notifies :relabel, new_resource, :immediately
end
end
# Delete if exists
action :delete do
execute "selinux-fcontext-#{new_resource.secontext}-delete" do
command "#{semanage_cmd} fcontext #{semanage_options(new_resource.file_type)} -d '#{new_resource.file_spec}'"
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
only_if { use_selinux(new_resource.allow_disabled) }
notifies :relabel, new_resource, :immediately
end
end
action :modify do
execute "selinux-fcontext-#{new_resource.secontext}-modify" do
command "#{semanage_cmd} fcontext -m #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
only_if { use_selinux(new_resource.allow_disabled) }
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
notifies :relabel, new_resource, :immediately
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
include Chef::Mixin::Which
end

32
cookbooks/selinux_policy/resources/install.rb Normal file
View File

@@ -0,0 +1,32 @@
property :allow_disabled, [true, false], default: true
action :install do
case node['platform_family']
when 'debian'
raise 'Install SELinux manually on Ubuntu. See https://wiki.ubuntu.com/SELinux' if platform?('ubuntu')
execute 'selinux-activate' do
action :nothing
end
package %w(selinux-policy-default selinux-basics auditd) do
notifies :run, 'execute[selinux-activate]', :immediately
end
when 'rhel'
case node['platform_version'].to_i
when 6
package %w(policycoreutils-python selinux-policy setools-console make)
when 7
package %w(policycoreutils-python selinux-policy-devel setools-console make)
when 8
package %w(policycoreutils-python-utils selinux-policy-devel setools-console make)
else
raise 'Unknown version of RHEL/derivative, cannot determine required package names'
end
when 'fedora'
package %w(policycoreutils-python selinux-policy-devel setools-console make)
else
raise 'Unknown distro, cannot determine required package names'
end
end

75
cookbooks/selinux_policy/resources/module.rb Normal file
View File

@@ -0,0 +1,75 @@
# A resource for managing SE modules
property :module_name, String, name_property: true
property :force, [true, false], default: false
property :directory, String, default: lazy { "#{Chef::Config[:file_cache_path]}/#{module_name}" } # content to work with. Defaults to autogenerated name in the Chef cache. Can be provided and pre-populated
# Content options:
property :content, String # provide a 'te' file directly. Optional
property :directory_source, String # Source directory for module source code. If specified, will use "remote_directory" on the directory specified as `directory`
property :cookbook, String # Related to directory
property :allow_disabled, [true, false], default: true
action :deploy do
run_action(:fetch)
run_action(:compile)
run_action(:install)
end
# Get all the components in the right place
action :fetch do
directory new_resource.directory do
only_if { use_selinux(new_resource.allow_disabled) }
end
raise 'dont specify both directory_source and content' if new_resource.directory_source && new_resource.content
if new_resource.directory_source
remote_directory new_resource.directory do
source new_resource.directory_source
cookbook new_resource.cookbook
only_if { use_selinux(new_resource.allow_disabled) }
end
end
if new_resource.content
file "#{new_resource.directory}/#{new_resource.module_name}.te" do
content new_resource.content
only_if { use_selinux(new_resource.allow_disabled) }
end
end
end
action :compile do
make_command = "/usr/bin/make -f /usr/share/selinux/devel/Makefile #{new_resource.module_name}.pp"
execute "semodule-compile-#{new_resource.module_name}" do
command make_command
not_if "#{make_command} -q", cwd: new_resource.directory # $? = 1 means make wants to execute http://www.gnu.org/software/make/manual/html_node/Running.html
only_if { use_selinux(new_resource.allow_disabled) }
cwd new_resource.directory
end
end
# deploy / upgrade module
# XXX this looks ugly because CentOS 6.X doesn't support extracting
# SELinux modules from the current policy, which I planned on comparing
# to my compiled file. I'll be happy to see anything else (that works).
action :install do
filename = "#{new_resource.directory}/#{new_resource.module_name}.pp"
execute "semodule-install-#{new_resource.module_name}" do
command "#{semodule_cmd} -i #{filename}"
only_if "#{shell_boolean(new_resource.updated_by_last_action? || new_resource.force)} || ! (#{module_defined(new_resource.module_name)}) "
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action :remove do
execute "semodule-remove-#{new_resource.module_name}" do
command "#{semodule_cmd} -r #{new_resource.module_name}"
only_if module_defined(new_resource.module_name)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

25
cookbooks/selinux_policy/resources/permissive.rb Normal file
View File

@@ -0,0 +1,25 @@
# a resource for managing selinux permissive contexts
property :allow_disabled, [true, false], default: true
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
execute "selinux-permissive-#{new_resource.name}-add" do
command "#{semanage_cmd} permissive -a '#{new_resource.name}'"
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
only_if { use_selinux(new_resource.allow_disabled) }
end
end
# Delete if exists
action :delete do
execute "selinux-port-#{new_resource.name}-delete" do
command "#{semanage_cmd} permissive -d '#{new_resource.name}'"
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

50
cookbooks/selinux_policy/resources/port.rb Normal file
View File

@@ -0,0 +1,50 @@
# Manages a port assignment in SELinux
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
property :port, [Integer, String], name_property: true
property :protocol, String, equal_to: %w(tcp udp)
property :secontext, String
property :allow_disabled, [true, false], default: true
action :addormodify do
# TODO: We can be a bit more clever here, and try to detect if it's already
# there then modify
# Try to add new port
run_action(:add)
# Try to modify existing port
run_action(:modify)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
validate_port(new_resource.port)
execute "selinux-port-#{new_resource.port}-add" do
command "#{semanage_cmd} port -a -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
not_if port_defined(new_resource.protocol, new_resource.port)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
# Delete if exists
action :delete do
validate_port(new_resource.port)
execute "selinux-port-#{new_resource.port}-delete" do
command "#{semanage_cmd} port -d -p #{new_resource.protocol} #{new_resource.port}"
only_if port_defined(new_resource.protocol, new_resource.port)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action :modify do
execute "selinux-port-#{new_resource.port}-modify" do
command "#{semanage_cmd} port -m -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
only_if port_defined(new_resource.protocol, new_resource.port)
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end