kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Use older Redis cookbook, install on bitcoin-2

Browse Source
This commit is contained in:
Basti
2021-11-16 14:11:42 -06:00
parent 18f65c4fc5
commit 4b9183d78d
59 changed files with 886 additions and 1639 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
cookbooks/selinux_policy/resources/boolean.rb Normal file
View File

@@ -0,0 +1,19 @@
# A resource for managing SELinux Booleans
property :value, [true, false]
property :force, [true, false], default: false
property :allow_disabled, [true, false], default: true
# Set and persist
action :setpersist do
sebool(new_resource, true)
end
# Set for now, without persisting
action :set do
sebool(new_resource, false)
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

71
cookbooks/selinux_policy/resources/fcontext.rb Normal file
View File

@@ -0,0 +1,71 @@
# Manages file specs in SELinux
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
property :file_spec, String, name_property: true
property :secontext, String
property :file_type, String, default: 'a', equal_to: %w(a f d c b s l p)
property :allow_disabled, [true, false], default: true
action :addormodify do
run_action(:add)
run_action(:modify)
end
# Run restorecon to fix label
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
action :relabel do
converge_by 'relabel' do
spec = new_resource.file_spec
escaped = Regexp.escape spec
common =
if spec == escaped
spec
else
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
::File.dirname spec[0...index]
end
# Just in case the spec is very weird...
common = '/' if common[0] != '/'
if ::File.exist? common
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 2>/dev/null | xargs -0 restorecon -iRv")
end
end
end
# Create if doesn't exist, do not touch if fcontext is already registered
action :add do
execute "selinux-fcontext-#{new_resource.secontext}-add" do
command "#{semanage_cmd} fcontext -a #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
only_if { use_selinux(new_resource.allow_disabled) }
notifies :relabel, new_resource, :immediately
end
end
# Delete if exists
action :delete do
execute "selinux-fcontext-#{new_resource.secontext}-delete" do
command "#{semanage_cmd} fcontext #{semanage_options(new_resource.file_type)} -d '#{new_resource.file_spec}'"
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
only_if { use_selinux(new_resource.allow_disabled) }
notifies :relabel, new_resource, :immediately
end
end
action :modify do
execute "selinux-fcontext-#{new_resource.secontext}-modify" do
command "#{semanage_cmd} fcontext -m #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
only_if { use_selinux(new_resource.allow_disabled) }
only_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
not_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
notifies :relabel, new_resource, :immediately
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
include Chef::Mixin::Which
end

32
cookbooks/selinux_policy/resources/install.rb Normal file
View File

@@ -0,0 +1,32 @@
property :allow_disabled, [true, false], default: true
action :install do
case node['platform_family']
when 'debian'
raise 'Install SELinux manually on Ubuntu. See https://wiki.ubuntu.com/SELinux' if platform?('ubuntu')
execute 'selinux-activate' do
action :nothing
end
package %w(selinux-policy-default selinux-basics auditd) do
notifies :run, 'execute[selinux-activate]', :immediately
end
when 'rhel'
case node['platform_version'].to_i
when 6
package %w(policycoreutils-python selinux-policy setools-console make)
when 7
package %w(policycoreutils-python selinux-policy-devel setools-console make)
when 8
package %w(policycoreutils-python-utils selinux-policy-devel setools-console make)
else
raise 'Unknown version of RHEL/derivative, cannot determine required package names'
end
when 'fedora'
package %w(policycoreutils-python selinux-policy-devel setools-console make)
else
raise 'Unknown distro, cannot determine required package names'
end
end

75
cookbooks/selinux_policy/resources/module.rb Normal file
View File

@@ -0,0 +1,75 @@
# A resource for managing SE modules
property :module_name, String, name_property: true
property :force, [true, false], default: false
property :directory, String, default: lazy { "#{Chef::Config[:file_cache_path]}/#{module_name}" } # content to work with. Defaults to autogenerated name in the Chef cache. Can be provided and pre-populated
# Content options:
property :content, String # provide a 'te' file directly. Optional
property :directory_source, String # Source directory for module source code. If specified, will use "remote_directory" on the directory specified as `directory`
property :cookbook, String # Related to directory
property :allow_disabled, [true, false], default: true
action :deploy do
run_action(:fetch)
run_action(:compile)
run_action(:install)
end
# Get all the components in the right place
action :fetch do
directory new_resource.directory do
only_if { use_selinux(new_resource.allow_disabled) }
end
raise 'dont specify both directory_source and content' if new_resource.directory_source && new_resource.content
if new_resource.directory_source
remote_directory new_resource.directory do
source new_resource.directory_source
cookbook new_resource.cookbook
only_if { use_selinux(new_resource.allow_disabled) }
end
end
if new_resource.content
file "#{new_resource.directory}/#{new_resource.module_name}.te" do
content new_resource.content
only_if { use_selinux(new_resource.allow_disabled) }
end
end
end
action :compile do
make_command = "/usr/bin/make -f /usr/share/selinux/devel/Makefile #{new_resource.module_name}.pp"
execute "semodule-compile-#{new_resource.module_name}" do
command make_command
not_if "#{make_command} -q", cwd: new_resource.directory # $? = 1 means make wants to execute http://www.gnu.org/software/make/manual/html_node/Running.html
only_if { use_selinux(new_resource.allow_disabled) }
cwd new_resource.directory
end
end
# deploy / upgrade module
# XXX this looks ugly because CentOS 6.X doesn't support extracting
# SELinux modules from the current policy, which I planned on comparing
# to my compiled file. I'll be happy to see anything else (that works).
action :install do
filename = "#{new_resource.directory}/#{new_resource.module_name}.pp"
execute "semodule-install-#{new_resource.module_name}" do
command "#{semodule_cmd} -i #{filename}"
only_if "#{shell_boolean(new_resource.updated_by_last_action? || new_resource.force)} || ! (#{module_defined(new_resource.module_name)}) "
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action :remove do
execute "semodule-remove-#{new_resource.module_name}" do
command "#{semodule_cmd} -r #{new_resource.module_name}"
only_if module_defined(new_resource.module_name)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

25
cookbooks/selinux_policy/resources/permissive.rb Normal file
View File

@@ -0,0 +1,25 @@
# a resource for managing selinux permissive contexts
property :allow_disabled, [true, false], default: true
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
execute "selinux-permissive-#{new_resource.name}-add" do
command "#{semanage_cmd} permissive -a '#{new_resource.name}'"
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
only_if { use_selinux(new_resource.allow_disabled) }
end
end
# Delete if exists
action :delete do
execute "selinux-port-#{new_resource.name}-delete" do
command "#{semanage_cmd} permissive -d '#{new_resource.name}'"
not_if "#{semanage_cmd} permissive -l | grep '^#{new_resource.name}$'"
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end

50
cookbooks/selinux_policy/resources/port.rb Normal file
View File

@@ -0,0 +1,50 @@
# Manages a port assignment in SELinux
# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
property :port, [Integer, String], name_property: true
property :protocol, String, equal_to: %w(tcp udp)
property :secontext, String
property :allow_disabled, [true, false], default: true
action :addormodify do
# TODO: We can be a bit more clever here, and try to detect if it's already
# there then modify
# Try to add new port
run_action(:add)
# Try to modify existing port
run_action(:modify)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
validate_port(new_resource.port)
execute "selinux-port-#{new_resource.port}-add" do
command "#{semanage_cmd} port -a -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
not_if port_defined(new_resource.protocol, new_resource.port)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
# Delete if exists
action :delete do
validate_port(new_resource.port)
execute "selinux-port-#{new_resource.port}-delete" do
command "#{semanage_cmd} port -d -p #{new_resource.protocol} #{new_resource.port}"
only_if port_defined(new_resource.protocol, new_resource.port)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action :modify do
execute "selinux-port-#{new_resource.port}-modify" do
command "#{semanage_cmd} port -m -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
only_if port_defined(new_resource.protocol, new_resource.port)
not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
only_if { use_selinux(new_resource.allow_disabled) }
end
end
action_class do
include Chef::SELinuxPolicy::Helpers
end