kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Set up Redis using the latest version of redisio

Browse Source 
This replaces the deprecated redis cookbook. Compiles the latest version
of Redis, currently 7.0.11

Refs #488
This commit is contained in:
Greg Karékinian
2023-06-19 16:02:58 +02:00
parent b164d7a444
commit 6116729907
119 changed files with 2568 additions and 7343 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cookbooks/selinux/.markdownlint-cli2.yaml Normal file
View File

@@ -0,0 +1,5 @@
config:
ul-indent: false # MD007
line-length: false # MD013
no-duplicate-heading: false # MD024
reference-links-images: false # MD052

263
cookbooks/selinux/CHANGELOG.md Normal file
View File

@@ -0,0 +1,263 @@
# selinux Cookbook CHANGELOG
This file is used to list changes made in each version of the selinux cookbook.
## 6.1.12 - *2023-05-17*
## 6.1.11 - *2023-04-17*
## 6.1.10 - *2023-04-07*
Standardise files with files in sous-chefs/repo-management
## 6.1.9 - *2023-04-01*
## 6.1.8 - *2023-04-01*
## 6.1.7 - *2023-04-01*
Standardise files with files in sous-chefs/repo-management
## 6.1.6 - *2023-03-20*
Standardise files with files in sous-chefs/repo-management
## 6.1.5 - *2023-03-15*
Standardise files with files in sous-chefs/repo-management
## 6.1.4 - *2023-02-23*
Standardise files with files in sous-chefs/repo-management
## 6.1.3 - *2023-02-15*
## 6.1.2 - *2023-02-14*
Standardise files with files in sous-chefs/repo-management
## 6.1.1 - *2023-02-03*
- Updated selinux_port documentation
## 6.1.0 - *2023-01-18*
- resolved cookstyle error: resources/install.rb:5:1 refactor: `Chef/Style/CopyrightCommentFormat`
- resolved cookstyle error: resources/module.rb:5:1 refactor: `Chef/Style/CopyrightCommentFormat`
- resolved cookstyle error: resources/state.rb:5:1 refactor: `Chef/Style/CopyrightCommentFormat`
- Standardise files with files in sous-chefs/repo-management
- Add `selinux_login` resource
- Add `selinux_user` resource
## 6.0.7 - *2022-11-01*
- Fix CentOS 6 package requirements
- Fix Chef 18 compatibility
## 6.0.6 - *2022-09-28*
- Add missing `policycoreutils-python` package
- Include additional platforms and suites for testing
- Run `apt_update` in `selinux_install` on Debian-based systems
- Fix SELinux enablement on Ubuntu 18.04
## 6.0.5 - *2022-09-18*
- Standardise files with files in sous-chefs/repo-management
- Add testing for Debian 11, Alma Linux and Rocky Linux
- Remove testing for CentOS 8 (prefer Stream instead)
- Update Github CI config
## 6.0.4 - *2022-02-17*
- Standardise files with files in sous-chefs/repo-management
## 6.0.3 - *2022-02-08*
- Remove delivery folder
## 6.0.2 - *2022-01-01*
- resolved cookstyle error: resources/install.rb:5:1 refactor: `Chef/Style/CopyrightCommentFormat`
- resolved cookstyle error: resources/module.rb:5:1 refactor: `Chef/Style/CopyrightCommentFormat`
- resolved cookstyle error: resources/state.rb:5:1 refactor: `Chef/Style/CopyrightCommentFormat`
## 6.0.1 - *2021-11-03*
- Correctly parse ports with multple contexts
## 6.0.0 - *2021-09-02*
- Import `selinux_policy` resources into this cookbook (`_fcontext`, `_permissive`, and `_port`)
- `selinux_policy_module` not imported since it is a duplicate of `selinux_module`
### Deprecations
- `selinux_fcontext` action `addormodify` renamed to `manage`
- `selinux_port` action `addormodify` renamed to `manage`
## 5.1.1 - *2021-08-30*
- Standardise files with files in sous-chefs/repo-management
## 5.1.0 - *2021-08-21*
- Fix `selinux_install` on Alma Linux / Oracle Linux
## 5.0.0 - *2021-08-10*
### Note: With version 5.0.0 the default recipe has been removed
- Major refactoring
- Restore support for Debian based distros
- All resources now use unified_mode
- Added selinux_boolean resource
- Remove attributes and default recipe
- Replaced with a set of bare recipes for the three selinux states
- Add automatic restart function to `selinux_state` resource
## 4.0.0 - *2021-07-21*
- Sous Chefs adoption
- Enable `unified_mode` for Chef 17 compatibility
- Update test platforms
## 3.1.1 (2020-09-29)
- Move `default['selinux']['status']` attribute to `default['selinux']['state']` to avoid conflicts with Ohai in Chef Infra Client 16 - [@shoekstra](https://github.com/shoekstra)
## 3.1.0 (2020-09-29)
- Cookstyle Bot Auto Corrections with Cookstyle 6.16.8 - [@cookstyle](https://github.com/cookstyle)
- Add a new `node['selinux']['install_mcstrans_package']` attribute to control installation of the mcdtrans package. This default to true to maintain existing functionality. - [@kapilchouhan99](https://github.com/kapilchouhan99)
## 3.0.2 (2020-08-25)
- Fix failures in CI- [@shoekstra](https://github.com/shoekstra)
- Specify platform to SoloRunner - [@shoekstra](https://github.com/shoekstra)
- Remove unnecessary Foodcritic comments - [@tas50](https://github.com/tas50)
- Notify :immediately not :immediate - [@tas50](https://github.com/tas50)
- Add Github actions testing of style/unit - [@tas50](https://github.com/tas50)
- [GH-67] - Do not try to modify frozen checksum - [@vzDevelopment](https://github.com/vzDevelopment)
- Standardise files with files in chef-cookbooks/repo-management - [@xorimabot](https://github.com/xorimabot)
## 3.0.1 (2019-11-14)
- Remove the deprecated ChefSpec report - [@tas50](https://github.com/tas50)
- Allow "-" and "_" for module names - [@ramereth](https://github.com/ramereth)
- Update Fedora versions we test on - [@tas50](https://github.com/tas50)
## 3.0.0 (2019-06-06)
- Support for SELinux Modules, via new resource `selinux_module`, able to compile `.te` files, install and remove modules;
- Improving test coverage for all resources
- Remove support for Ubuntu/Debian
- Require Chef 13+
## 2.1.1 (2018-06-07)
- Do not execute setenforce 1 always
- Remove chefspec matchers that are autogenerated now
- Chef 13 Fixes
## 2.1.0 (2017-09-15)
- Simplify Travis config and fix ChefDK 2.0 failures
- Use bento slugs in Kitchen
- Remove maintainer files
- More cleanup of the maintainer files
- Speed up install with multi-package install
## 2.0.3 (2017-06-13)
- Fix boolean check within default recipe
## 2.0.2 (2017-06-05)
- Permissive guard should grep for permissive not just disabled
## 2.0.1 (2017-05-30)
- Remove class_eval usage
## 2.0.0 (2017-05-15)
- Deprecate debian family support
- Make default for rhel family use setenforce regardless of whether a temporary change or not. Eliminates the requirement for a required reboot to effect change in the running system.
## 1.0.4 (2017-04-17)
- Switch to local delivery for testing
- Use the standard apache license string
- Updates for early Chef 12 and Chef 13 compatibility
- Update and add copyright blocks to the various files
## 1.0.3 (2017-03-14)
- Fix requirement in metadata to reflect need for Chef 12.7 as using action_class in state resource.
## 1.0.2 (2017-03-01)
- Remove setools* packages from install resource (utility to analyze and query policies, monitor and report audit logs, and manage file context). Future versions of this cookbook that might use this need to handle package install on Oracle Linux as not available in default repo.
## 1.0.1 (2017-02-26)
- Fix logic error in the permissive state change
## 1.0.0 (2017-02-26)
- **BREAKING CHANGE** `node['selinux']['state']` is now `node['selinux']['status']` to meet Chef 13 requirements.
- Update to current cookbook engineering standards
- Rewrite LWRP to 12.5 resources
- Resolved cookstyle errors
- Update package information for debian based on <https://debian-handbook.info/browse/stable/sect.selinux.html>
- selinux-activate looks like it's required to ACTUALLY activate selinux on non-RHEL systems. This seems like it could be destructive if unexpected.
- Add property temporary to allow for switching between permissive and enabled
- Add install resource
## v0.9.0 (2015-02-22)
- Initial Debian / Ubuntu support
- Various bug fixes
## v0.8.0 (2014-04-23)
- [COOK-4528] - Fix selinux directory permissions
- [COOK-4562] - Basic support for Ubuntu/Debian
## v0.7.2 (2014-03-24)
handling minimal installs
## v0.7.0 (2014-02-27)
[COOK-4218] Support setting SELinux boolean values
## v0.6.2
- Fixing bug introduced in 0.6.0
- adding basic test-kitchen coverage
## v0.6.0
- [COOK-760] - selinux enforce/permit/disable based on attribute
## v0.5.6
- [COOK-2124] - enforcing recipe fails if selinux is disabled
## v0.5.4
- [COOK-1277] - disabled recipe fails on systems w/o selinux installed
## v0.5.2
- [COOK-789] - fix dangling commas causing syntax error on some rubies
## v0.5.0
- [COOK-678] - add the selinux cookbook to the repository
- Use main selinux config file (/etc/selinux/config)
- Use getenforce instead of selinuxenabled for enforcing and permissive

201
cookbooks/selinux/LICENSE Normal file
View File

@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

83
cookbooks/selinux/README.md Normal file
View File

@@ -0,0 +1,83 @@
# SELinux Cookbook
[![Cookbook Version](https://img.shields.io/cookbook/v/selnux.svg)](https://supermarket.chef.io/cookbooks/selinux)
[![CI State](https://github.com/sous-chefs/selinux/workflows/ci/badge.svg)](https://github.com/sous-chefs/selinux/actions?query=workflow%3Aci)
[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
## Description
The SELinux (Security Enhanced Linux) cookbook provides recipes for manipulating SELinux policy enforcement state.
SELinux can have one of three settings:
`Enforcing`
- Watches all system access checks, stops all 'Denied access'
- Default mode on RHEL systems
`Permissive`
- Allows access but reports violations
`Disabled`
- Disables SELinux from the system but is only read at boot time. If you set this flag, you must reboot.
Disable SELinux only if you plan to not use it. Use `Permissive` mode if you just need to debug your system.
## Requirements
- Chef 15.3 or higher
## Platform
- RHEL 7+
- CentOS 7+
- Fedora
- Ubuntu
- Debian
## Resources
The following resources are provided:
- [selinux_boolean](documentation/selinux_boolean.md)
- [selinux_fcontext](documentation/selinux_fcontext.md)
- [selinux_install](documentation/selinux_install.md)
- [selinux_login](documentation/selinux_login.md)
- [selinux_module](documentation/selinux_module.md)
- [selinux_permissive](documentation/selinux_permissive.md)
- [selinux_port](documentation/selinux_port.md)
- [selinux_state](documentation/selinux_state.md)
- [selinux_user](documentation/selinux_user.md)
## Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If youd like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
## Contributors
This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
### Backers
Thank you to all our backers!
![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
### Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)

115
cookbooks/selinux/chefignore Normal file
View File

@@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen*.yml
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

17
cookbooks/selinux/libraries/boolean.rb Normal file
View File

@@ -0,0 +1,17 @@
module SELinux
module Cookbook
module BooleanHelpers
def selinux_bool(bool)
if ['on', 'true', '1', true, 1].include?(bool)
'on'
elsif ['off', 'false', '0', false, 0].include?(bool)
'off'
else
raise ArgumentError, "selinux_bool: Invalid selinux boolean value #{bool}"
end
end
module_function :selinux_bool
end
end
end

33
cookbooks/selinux/libraries/install.rb Normal file
View File

@@ -0,0 +1,33 @@
module SELinux
module Cookbook
module InstallHelpers
def default_install_packages
case node['platform_family']
when 'rhel'
case node['platform_version'].to_i
when 6
%w(make policycoreutils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console)
when 7
%w(make policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console)
else
%w(make policycoreutils policycoreutils-python-utils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console)
end
when 'amazon'
%w(make policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console)
when 'fedora'
%w(make policycoreutils policycoreutils-python-utils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console)
when 'debian'
if node['platform'] == 'ubuntu'
if node['platform_version'].to_f == 18.04
%w(make policycoreutils selinux selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
else
%w(make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
end
else
%w(make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools)
end
end
end
end
end
end

60
cookbooks/selinux/libraries/state.rb Normal file
View File

@@ -0,0 +1,60 @@
module SELinux
module Cookbook
module StateHelpers
def selinux_disabled?
selinux_state.eql?(:disabled)
end
def selinux_enforcing?
selinux_state.eql?(:enforcing)
end
def selinux_permissive?
selinux_state.eql?(:permissive)
end
def state_change_reboot_required?
(selinux_disabled? && %i(enforcing permissive).include?(action)) ||
((selinux_enforcing? || selinux_permissive?) && action == :disabled) ||
(selinux_activate_required? && %i(enforcing permissive).include?(action))
end
def selinux_state
state = shell_out!('getenforce').stdout.strip.downcase.to_sym
raise "Got unknown SELinux state #{state}" unless %i(disabled enforcing permissive).include?(state)
state
end
def selinux_activate_required?
return false unless platform_family?('debian')
sestatus = shell_out!('sestatus -v').stdout.strip
# Ensure we're booted up to a system which has selinux activated and filesystem is properly labeled
if File.read('/proc/cmdline').match?('security=selinux') && sestatus.match?(%r{/usr/sbin/sshd.*sshd_exec_t})
false
else
true
end
end
def selinux_activate_cmd
# selinux-activate is semi-broken on Ubuntu 18.04 however this method does work
if platform?('ubuntu') && node['platform_version'] == '18.04'
'touch /.autorelabel'
else
'/usr/sbin/selinux-activate'
end
end
def default_policy_platform
case node['platform_family']
when 'rhel', 'fedora', 'amazon'
'targeted'
when 'debian'
'default'
end
end
end
end
end

43
cookbooks/selinux/metadata.json Normal file
View File

@@ -0,0 +1,43 @@
{
"name": "selinux",
"description": "Manages SELinux policy state and rules.",
"long_description": "",
"maintainer": "Sous Chefs",
"maintainer_email": "help@sous-chefs.org",
"license": "Apache-2.0",
"platforms": {
"redhat": ">= 0.0.0",
"centos": ">= 0.0.0",
"scientific": ">= 0.0.0",
"oracle": ">= 0.0.0",
"amazon": ">= 0.0.0",
"fedora": ">= 0.0.0",
"debian": ">= 0.0.0",
"ubuntu": ">= 0.0.0"
},
"dependencies": {
},
"providing": {
},
"recipes": {
},
"version": "6.1.12",
"source_url": "https://github.com/sous-chefs/selinux",
"issues_url": "https://github.com/sous-chefs/selinux/issues",
"privacy": false,
"chef_versions": [
[
">= 15.3"
]
],
"ohai_versions": [
],
"gems": [
],
"eager_load_libraries": true
}

13
cookbooks/selinux/metadata.rb Normal file
View File

@@ -0,0 +1,13 @@
name 'selinux'
maintainer 'Sous Chefs'
maintainer_email 'help@sous-chefs.org'
license 'Apache-2.0'
description 'Manages SELinux policy state and rules.'
version '6.1.12'
source_url 'https://github.com/sous-chefs/selinux'
issues_url 'https://github.com/sous-chefs/selinux/issues'
chef_version '>= 15.3'
%w(redhat centos scientific oracle amazon fedora debian ubuntu).each do |os|
supports os
end

23
cookbooks/selinux/recipes/disabled.rb Normal file
View File

@@ -0,0 +1,23 @@
#
# Cookbook:: selinux
# Recipe:: disabled
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
selinux_install 'selinux'
selinux_state 'disabled' do
automatic_reboot true
action :disabled
end

24
cookbooks/selinux/recipes/enforcing.rb Normal file
View File

@@ -0,0 +1,24 @@
#
# Cookbook:: selinux
# Recipe:: enforcing
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
selinux_install 'selinux'
selinux_state 'enforcing' do
automatic_reboot true
action :enforcing
end

23
cookbooks/selinux/recipes/permissive.rb Normal file
View File

@@ -0,0 +1,23 @@
#
# Cookbook:: selinux
# Recipe:: permissive
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
selinux_install 'selinux'
selinux_state 'permissive' do
automatic_reboot true
action :permissive
end

17
cookbooks/selinux/renovate.json Normal file
View File

@@ -0,0 +1,17 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:base"],
"packageRules": [{
"groupName": "Actions",
"matchUpdateTypes": ["patch", "pin", "digest"],
"automerge": true,
"addLabels": ["Release: Patch", "Skip: Announcements"]
},
{
"groupName": "Actions",
"matchUpdateTypes": ["major"],
"automerge": false,
"addLabels": ["Release: Patch", "Skip: Announcements"]
}
]
}

56
cookbooks/selinux/resources/boolean.rb Normal file
View File

@@ -0,0 +1,56 @@
#
# Cookbook:: selinux
# Resource:: boolean
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :boolean, String,
name_property: true,
description: 'SELinux boolean to set'
property :value, [Integer, String, true, false],
required: true,
equal_to: %w(on off),
coerce: proc { |p| ::SELinux::Cookbook::BooleanHelpers.selinux_bool(p) },
description: 'SELinux boolean value'
property :persistent, [true, false],
default: true,
desired_state: false,
description: 'Set to true for value setting to survive reboot'
load_current_value do |new_resource|
value shell_out!("getsebool #{new_resource.boolean}").stdout.split('-->').map(&:strip).last
end
action_class do
include ::SELinux::Cookbook::StateHelpers
end
action :set do
if selinux_disabled?
Chef::Log.warn("Unable to set SELinux boolean #{new_resource.name} as SELinux is disabled")
return
end
converge_if_changed do
cmd = 'setsebool'
cmd += ' -P' if new_resource.persistent
cmd += " #{new_resource.boolean} #{new_resource.value}"
shell_out!(cmd)
end
end

132
cookbooks/selinux/resources/fcontext.rb Normal file
View File

@@ -0,0 +1,132 @@
#
# Cookbook:: selinux
# Resource:: fcontext
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :file_spec, String,
name_property: true,
description: 'Path to or regex matching the files or directoriesto label'
property :secontext, String,
required: %i(add modify manage),
description: 'SELinux context to assign'
property :file_type, String,
default: 'a',
equal_to: %w(a f d c b s l p),
description: 'The type of the file being labeled'
action_class do
include ::SELinux::Cookbook::StateHelpers
def current_file_context
file_hash = {
'a' => 'all files',
'f' => 'regular file',
'd' => 'directory',
'c' => 'character device',
'b' => 'block device',
's' => 'socket',
'l' => 'symbolic link',
'p' => 'named pipe',
}
contexts = shell_out!('semanage fcontext -l').stdout.split("\n")
# pull out file label from user:role:type:level context string
contexts.grep(/^#{Regexp.escape(new_resource.file_spec)}\s+#{file_hash[new_resource.file_type]}/) do |c|
c.match(/.+ (?<user>.+):(?<role>.+):(?<type>.+):(?<level>.+)$/)[:type]
# match returns ['foo'] or [], shift converts that to 'foo' or nil
end.shift
end
# Run restorecon to fix label
# https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
def relabel_files
spec = new_resource.file_spec
escaped = Regexp.escape spec
# find common path between regex and string
common = if spec == escaped
spec
else
index = spec.size.times { |i| break i if spec[i] != escaped[i] }
::File.dirname spec[0...index]
end
# if path is not absolute, ignore it and search everything
common = '/' if common[0] != '/'
if ::File.exist? common
shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 | xargs -0 restorecon -iRv")
end
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :addormodify do
Chef::Log.warn('The :addormodify action for selinux_fcontext is deprecated and will be removed in a future release. Use the :manage action instead.')
run_action(:manage)
end
# Create if doesn't exist, do not touch if fcontext is already registered
action :add do
if selinux_disabled?
Chef::Log.warn("Unable to add SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
unless current_file_context
converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do
shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
relabel_files
end
end
end
# Only modify if fcontext exists & doesn't have the correct label already
action :modify do
if selinux_disabled?
Chef::Log.warn("Unable to modify SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
if current_file_context && current_file_context != new_resource.secontext
converge_by "modifying label #{new_resource.secontext} to #{new_resource.file_spec}" do
shell_out!("semanage fcontext -m -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
relabel_files
end
end
end
# Delete if exists
action :delete do
if selinux_disabled?
Chef::Log.warn("Unable to delete SELinux fcontext #{new_resource.name} as SELinux is disabled")
return
end
if current_file_context
converge_by "deleting label for #{new_resource.file_spec}" do
shell_out!("semanage fcontext -d -f #{new_resource.file_type} '#{new_resource.file_spec}'")
relabel_files
end
end
end

56
cookbooks/selinux/resources/install.rb Normal file
View File

@@ -0,0 +1,56 @@
#
# Cookbook:: selinux
# Resource:: install
#
# Copyright:: 2016-2023, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
include ::SELinux::Cookbook::InstallHelpers
property :packages, [String, Array],
default: lazy { default_install_packages },
description: 'SELinux packages for system'
action_class do
def do_package_action(action)
# friendly message for unsupported platforms
raise "The platform #{node['platform']} is not currently supported by the `selinux_install` resource. Please file an issue at https://github.com/sous-chefs/selinux/issues/new with details on the platform this cookbook is running on." if new_resource.packages.nil?
apt_update 'selinux' if platform_family?('debian')
package 'selinux' do
package_name new_resource.packages
action action
end
end
end
action :install do
do_package_action(action)
directory '/etc/selinux' do
owner 'root'
group 'root'
mode '0755'
action :create
end
end
%i(upgrade remove).each do |a|
action a do
do_package_action(a)
end
end

88
cookbooks/selinux/resources/login.rb Normal file
View File

@@ -0,0 +1,88 @@
#
# Cookbook:: selinux
# Resource:: login
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :login, String,
name_property: true,
description: 'OS user login'
property :user, String,
description: 'SELinux user'
property :range, String,
description: 'MLS/MCS security range for the login'
load_current_value do |new_resource|
logins = shell_out!('semanage login -l').stdout.split("\n")
current_login = logins.grep(/^#{Regexp.escape(new_resource.login)}\s+/) do |l|
l.match(/^(?<login>[^\s]+)\s+(?<user>[^\s]+)\s+(?<range>[^\s]+)/)
# match returns [<Match 'data'>] or [], shift converts that to <Match 'data'> or nil
end.shift
current_value_does_not_exist! unless current_login
# Existing resources should maintain their current configuration unless otherwise specified
new_resource.user ||= current_login[:user]
new_resource.range ||= current_login[:range]
user current_login[:user]
range current_login[:range]
end
action_class do
def semanage_login_args
args = ''
args += " -s #{new_resource.user}" if new_resource.user
args += " -r #{new_resource.range}" if new_resource.range
args
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :add do
raise 'The user property must be populated to create a new SELinux login' unless new_resource.user
unless current_resource
converge_if_changed do
shell_out!("semanage login -a#{semanage_login_args} #{new_resource.login}")
end
end
end
action :modify do
if current_resource
converge_if_changed do
shell_out!("semanage login -m#{semanage_login_args} #{new_resource.login}")
end
end
end
action :delete do
if current_resource
converge_by "deleting SELinux login #{new_resource.login}" do
shell_out!("semanage login -d #{new_resource.login}")
end
end
end

125
cookbooks/selinux/resources/module.rb Normal file
View File

@@ -0,0 +1,125 @@
#
# Cookbook:: selinux
# Resource:: module
#
# Copyright:: 2016-2023, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
property :module_name, String,
name_property: true,
description: 'Override the module name'
property :source, String,
description: 'Module source file name'
property :content, String,
description: 'Module source as String'
property :cookbook, String,
default: lazy { cookbook_name },
description: 'Cookbook to source from module source file from'
property :base_dir, String,
default: '/etc/selinux/local',
description: 'Directory to create module source file in'
action_class do
def selinux_module_filepath(type)
path = ::File.join(new_resource.base_dir, "#{new_resource.module_name}")
path.concat(".#{type}") if type
end
def list_installed_modules
shell_out!('semodule --list-modules').stdout.split("\n").map { |x| x.split(/\s/).first }
end
end
action :create do
directory new_resource.base_dir
if property_is_set?(:content)
file selinux_module_filepath('te') do
content new_resource.content
mode '0600'
owner 'root'
group 'root'
action :create
notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
end
else
cookbook_file selinux_module_filepath('te') do
cookbook new_resource.cookbook
source new_resource.source
mode '0600'
owner 'root'
group 'root'
action :create
notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
end
end
execute "Compiling SELinux modules at '#{new_resource.base_dir}'" do
cwd new_resource.base_dir
command "make -C #{new_resource.base_dir} -f /usr/share/selinux/devel/Makefile"
timeout 120
user 'root'
action :nothing
notifies :run, "execute[Install SELinux module '#{selinux_module_filepath('pp')}']", :immediately
end
raise "Compilation must have failed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp'))
execute "Install SELinux module '#{selinux_module_filepath('pp')}'" do
command "semodule --install '#{selinux_module_filepath('pp')}'"
action :nothing
end
end
action :delete do
%w(fc if pp te).each do |type|
next unless ::File.exist?(selinux_module_filepath(type))
file selinux_module_filepath(type) do
action :delete
end
end
end
action :install do
raise "Module must be compiled before it can be installed, no 'pp' file found at: '#{selinux_module_filepath('pp')}'" unless ::File.exist?(selinux_module_filepath('pp'))
unless list_installed_modules.include? new_resource.module_name
converge_by "Install SELinux module #{selinux_module_filepath('pp')}" do
shell_out!("semodule --install '#{selinux_module_filepath('pp')}'")
end
end
end
action :remove do
if list_installed_modules.include? new_resource.module_name
converge_by "Remove SELinux module #{new_resource.module_name}" do
shell_out!("semodule --remove '#{new_resource.module_name}'")
end
end
end

46
cookbooks/selinux/resources/permissive.rb Normal file
View File

@@ -0,0 +1,46 @@
#
# Cookbook:: selinux
# Resource:: permissive
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :context, String,
name_property: true,
description: 'The SELinux context to permit'
action_class do
def current_permissives
shell_out!('semanage permissive -ln').stdout.split("\n")
end
end
# Create if doesn't exist, do not touch if permissive is already registered (even under different type)
action :add do
unless current_permissives.include? new_resource.context
converge_by "adding permissive context #{new_resource.context}" do
shell_out!("semanage permissive -a '#{new_resource.context}'")
end
end
end
# Delete if exists
action :delete do
if current_permissives.include? new_resource.context
converge_by "deleting permissive context #{new_resource.context}" do
shell_out!("semanage permissive -d '#{new_resource.context}'")
end
end
end

98
cookbooks/selinux/resources/port.rb Normal file
View File

@@ -0,0 +1,98 @@
#
# Cookbook:: selinux
# Resource:: port
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :port, [Integer, String],
name_property: true,
regex: /^\d+$/,
description: 'Port to modify'
property :protocol, String,
equal_to: %w(tcp udp),
required: %i(manage add modify),
description: 'Protocol to modify'
property :secontext, String,
required: %i(manage add modify),
description: 'SELinux context to assign to the port'
action_class do
include ::SELinux::Cookbook::StateHelpers
def current_port_context
# use awk to see if the given port is within a reported port range
shell_out!(
<<~CMD
seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
CMD
).stdout.split
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :addormodify do
Chef::Log.warn('The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.')
run_action(:manage)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
if selinux_disabled?
Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if current_port_context.empty?
converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Only modify port if it exists & doesn't have the correct context already
action :modify do
if selinux_disabled?
Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Delete if exists
action :delete do
if selinux_disabled?
Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
return
end
unless current_port_context.empty?
converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
end
end
end

114
cookbooks/selinux/resources/state.rb Normal file
View File

@@ -0,0 +1,114 @@
#
# Cookbook:: selinux
# Resource:: state
#
# Copyright:: 2016-2023, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
unified_mode true
include ::SELinux::Cookbook::StateHelpers
default_action :nothing
property :config_file, String,
default: '/etc/selinux/config'
property :persistent, [true, false],
default: true,
description: 'Persist status update to the selinux configuration file'
property :policy, String,
default: lazy { default_policy_platform },
equal_to: %w(default minimum mls src strict targeted),
description: 'SELinux policy type'
property :automatic_reboot, [true, false, Symbol],
default: false,
description: 'Perform an automatic node reboot if required for state change'
deprecated_property_alias 'temporary', 'persistent', 'The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name.'
action_class do
include ::SELinux::Cookbook::StateHelpers
def render_selinux_template(action)
Chef::Log.warn(
'It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.'
) if selinux_disabled? && action == :enforcing
unless new_resource.automatic_reboot
Chef::Log.warn('Changes from disabled require a reboot.') if selinux_disabled? && %i(enforcing permissive).include?(action)
Chef::Log.warn('Disabling selinux requires a reboot.') if (selinux_enforcing? || selinux_permissive?) && action == :disabled
end
template "#{action} selinux config" do
path new_resource.config_file
source 'selinux.erb'
cookbook 'selinux'
variables(
selinux: action.to_s,
selinuxtype: new_resource.policy
)
end
end
def node_selinux_restart
unless new_resource.automatic_reboot
Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.")
return
end
outer_action = action
reboot 'selinux_state_change' do
delay_mins 1
reason "SELinux state change to #{outer_action} from #{selinux_state}"
action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now
end
end
end
action :enforcing do
execute 'selinux-setenforce-enforcing' do
command '/usr/sbin/setenforce 1'
end unless selinux_disabled? || selinux_enforcing?
execute 'debian-selinux-activate' do
command selinux_activate_cmd
end if selinux_activate_required?
render_selinux_template(action) if new_resource.persistent
node_selinux_restart if state_change_reboot_required?
end
action :permissive do
execute 'selinux-setenforce-permissive' do
command '/usr/sbin/setenforce 0'
end unless selinux_disabled? || selinux_permissive?
execute 'debian-selinux-activate' do
command selinux_activate_cmd
end if selinux_activate_required?
render_selinux_template(action) if new_resource.persistent
node_selinux_restart if state_change_reboot_required?
end
action :disabled do
raise 'A non-persistent change to the disabled SELinux status is not possible.' unless new_resource.persistent
render_selinux_template(action)
node_selinux_restart if state_change_reboot_required?
end

95
cookbooks/selinux/resources/user.rb Normal file
View File

@@ -0,0 +1,95 @@
#
# Cookbook:: selinux
# Resource:: user
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :user, String,
name_property: true,
description: 'SELinux user'
property :level, String,
description: 'MLS/MCS security level for the user'
property :range, String,
description: 'MLS/MCS security range for the user'
property :roles, Array,
description: 'SELinux roles for the user'
load_current_value do |new_resource|
users = shell_out!('semanage user -l').stdout.split("\n")
current_user = users.grep(/^#{Regexp.escape(new_resource.user)}\s+/) do |u|
u.match(/^(?<user>[^\s]+)\s+(?<prefix>[^\s]+)\s+(?<level>[^\s]+)\s+(?<range>[^\s]+)\s+(?<roles>.*)$/)
# match returns [<Match 'data'>] or [], shift converts that to <Match 'data'> or nil
end.shift
current_value_does_not_exist! unless current_user
# Existing resources should maintain their current configuration unless otherwise specified
new_resource.level ||= current_user[:level]
new_resource.range ||= current_user[:range]
new_resource.roles ||= current_user[:roles].to_s.split
new_resource.roles = new_resource.roles.sort
level current_user[:level]
range current_user[:range]
roles current_user[:roles].to_s.split.sort
end
action_class do
def semanage_user_args
args = ''
args += " -L #{new_resource.level}" if new_resource.level
args += " -r #{new_resource.range}" if new_resource.range
args += " -R '#{new_resource.roles.join(' ')}'" unless new_resource.roles.to_a.empty?
args
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :add do
raise 'The roles property must be populated to create a new SELinux user' if new_resource.roles.to_a.empty?
unless current_resource
converge_if_changed do
shell_out!("semanage user -a#{semanage_user_args} #{new_resource.user}")
end
end
end
action :modify do
if current_resource
converge_if_changed do
shell_out!("semanage user -m#{semanage_user_args} #{new_resource.user}")
end
end
end
action :delete do
if current_resource
converge_by "deleting SELinux user #{new_resource.user}" do
shell_out!("semanage user -d #{new_resource.user}")
end
end
end

18
cookbooks/selinux/templates/debian/selinux.erb Normal file
View File

@@ -0,0 +1,18 @@
# Generated by Chef for <%= node['fqdn'] %>
# Do NOT modify this file by hand.
#
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=<%= @selinux %>
# SELINUXTYPE= can take one of these three values:
# default - equivalent to the old strict and targeted policies
# mls - Multi-Level Security (for military and educational use)
# src - Custom policy built from source
SELINUXTYPE=<%= @selinuxtype %>
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

15
cookbooks/selinux/templates/default/selinux.erb Normal file
View File

@@ -0,0 +1,15 @@
# Generated by Chef for <%= node['fqdn'] %>
# Do NOT modify this file by hand.
#
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=<%= @selinux %>
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=<%= @selinuxtype %>