kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Update cookbooks and add wordpress cookbook

Browse Source
This commit is contained in:
Greg Karékinian
2016-02-19 18:09:49 +01:00
parent 9ba973e3ac
commit 820b0ab3f8
606 changed files with 22421 additions and 14084 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
cookbooks/selinux/CHANGELOG.md Normal file
View File

@@ -0,0 +1,52 @@
selinux Cookbook CHANGELOG
==========================
v0.9.0 (2015-02-22)
-------------------
- Initial Debian / Ubuntu support
- Various bug fixes
v0.8.0 (2014-04-23)
-------------------
- [COOK-4528] - Fix selinux directory permissions
- [COOK-4562] - Basic support for Ubuntu/Debian
v0.7.2 (2014-03-24)
-------------------
handling minimal installs
v0.7.0 (2014-02-27)
-------------------
[COOK-4218] Support setting SELinux boolean values
v0.6.2
------
- Fixing bug introduced in 0.6.0
- adding basic test-kitchen coverage
v0.6.0
------
- [COOK-760] - selinux enforce/permit/disable based on attribute
v0.5.6
------
- [COOK-2124] - enforcing recipe fails if selinux is disabled
v0.5.4
------
- [COOK-1277] - disabled recipe fails on systems w/o selinux installed
v0.5.2
------
- [COOK-789] - fix dangling commas causing syntax error on some rubies
v0.5.0
------
- [COOK-678] - add the selinux cookbook to the repository
- Use main selinux config file (/etc/selinux/config)
- Use getenforce instead of selinuxenabled for enforcing and permissive

144
cookbooks/selinux/README.md Normal file
View File

@@ -0,0 +1,144 @@
Description
===========
Provides recipes for manipulating SELinux policy enforcement state.
Requirements
============
RHEL family distribution or other Linux system that uses SELinux.
## Platform:
Tested on RHEL 5.8, 6.3
Node Attributes
===============
* `node['selinux']['state']` - The SELinux policy enforcement state.
The state to set by default, to match the default SELinux state on
RHEL. Can be "enforcing", "permissive", "disabled"
* `node['selinux']['booleans']` - A hash of SELinux boolean names and the
values they should be set to. Values can be off, false, or 0 to disable;
or on, true, or 1 to enable.
Resources/Providers
===================
## selinux\_state
The `selinux_state` LWRP is used to manage the SELinux state on the
system. It does this by using the `setenforce` command and rendering
the `/etc/selinux/config` file from a template.
### Actions
* `:nothing` - default action, does nothing
* `:enforcing` - Sets SELinux to enforcing.
* `:disabled` - Sets SELinux to disabled.
* `:permissive` - Sets SELinux to permissive.
### Attributes
The LWRP has no user-settable resource attributes.
### Examples
Simply set SELinux to enforcing or permissive:
selinux_state "SELinux Enforcing" do
action :enforcing
end
selinux_state "SELinux Permissive" do
action :permissive
end
The action here is based on the value of the
`node['selinux']['state']` attribute, which we convert to lower-case
and make a symbol to pass to the action.
selinux_state "SELinux #{node['selinux']['state'].capitalize}" do
action node['selinux']['state'].downcase.to_sym
end
Recipes
=======
All the recipes now leverage the LWRP described above.
## default
The default recipe will use the attribute `node['selinux']['state']`
in the `selinux_state` LWRP's action. By default, this will be `:enforcing`.
## enforcing
This recipe will use `:enforcing` as the `selinux_state` action.
## permissive
This recipe will use `:permissive` as the `selinux_state` action.
## disabled
This recipe will use `:disabled` as the `selinux_state` action.
Usage
=====
By default, this cookbook will have SELinux enforcing by default, as
the default recipe uses the `node['selinux']['state']` attribute,
which is "enforcing." This is in line with the policy of enforcing by
default on RHEL family distributions.
This has complicated considerations when changing the default
configuration of their systems, whether it is with automated
configuration management or manually. Often, third party help forums
and support sites recommend setting SELinux to "permissive." This
cookbook can help with that, in two ways.
You can simply set the attribute in a role applied to the node:
name "base"
description "Base role applied to all nodes."
default_attributes(
"selinux" => {
"state" => "permissive"
}
)
Or, you can apply the recipe to the run list (e.g., in a role):
name "base"
description "Base role applied to all nodes."
run_list(
"recipe[selinux::permissive]",
)
Roadmap
=======
Add LWRP/Libraries for manipulating security contexts for files and
services managed by Chef.
License and Author
==================
- Author:: Sean OMeara (<someara@chef.io>)
- Author:: Joshua Timberman (<joshua@chef.io>)
Copyright:: 2011-2012, Chef Software, Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

2
cookbooks/selinux/attributes/default.rb Normal file
View File

@@ -0,0 +1,2 @@
default['selinux']['state'] = 'enforcing'
default['selinux']['booleans'] = {}

13
cookbooks/selinux/libraries/selinux_service_helpers.rb Normal file
View File

@@ -0,0 +1,13 @@
module SELinuxServiceHelpers
def self.selinux_bool(bool)
if ['on', 'true', '1', true, 1].include? bool
'on'
elsif ['off', 'false', '0', false, 0].include? bool
'off'
else
Chef::Log.warn "Not a valid boolean value: #{bool}"
nil
end
end
end

54
cookbooks/selinux/metadata.json Normal file
View File

@@ -0,0 +1,54 @@
{
"name": "selinux",
"version": "0.9.0",
"description": "Manages SELinux policy state via LWRP or recipes.",
"long_description": "Description\n===========\n\nProvides recipes for manipulating SELinux policy enforcement state.\n\nRequirements\n============\n\nRHEL family distribution or other Linux system that uses SELinux.\n\n## Platform:\n\nTested on RHEL 5.8, 6.3\n\nNode Attributes\n===============\n\n* `node['selinux']['state']` - The SELinux policy enforcement state.\n The state to set by default, to match the default SELinux state on\n RHEL. Can be \"enforcing\", \"permissive\", \"disabled\"\n\n* `node['selinux']['booleans']` - A hash of SELinux boolean names and the\n values they should be set to. Values can be off, false, or 0 to disable;\n or on, true, or 1 to enable.\n\nResources/Providers\n===================\n\n## selinux\\_state\n\nThe `selinux_state` LWRP is used to manage the SELinux state on the\nsystem. It does this by using the `setenforce` command and rendering\nthe `/etc/selinux/config` file from a template.\n\n### Actions\n\n* `:nothing` - default action, does nothing\n* `:enforcing` - Sets SELinux to enforcing.\n* `:disabled` - Sets SELinux to disabled.\n* `:permissive` - Sets SELinux to permissive.\n\n### Attributes\n\nThe LWRP has no user-settable resource attributes.\n\n### Examples\n\nSimply set SELinux to enforcing or permissive:\n\n selinux_state \"SELinux Enforcing\" do\n action :enforcing\n end\n\n selinux_state \"SELinux Permissive\" do\n action :permissive\n end\n\nThe action here is based on the value of the\n`node['selinux']['state']` attribute, which we convert to lower-case\nand make a symbol to pass to the action.\n\n selinux_state \"SELinux #{node['selinux']['state'].capitalize}\" do\n action node['selinux']['state'].downcase.to_sym\n end\n\nRecipes\n=======\n\nAll the recipes now leverage the LWRP described above.\n\n## default\n\nThe default recipe will use the attribute `node['selinux']['state']`\nin the `selinux_state` LWRP's action. By default, this will be `:enforcing`.\n\n## enforcing\n\nThis recipe will use `:enforcing` as the `selinux_state` action.\n\n## permissive\n\nThis recipe will use `:permissive` as the `selinux_state` action.\n\n## disabled\n\nThis recipe will use `:disabled` as the `selinux_state` action.\n\nUsage\n=====\n\nBy default, this cookbook will have SELinux enforcing by default, as\nthe default recipe uses the `node['selinux']['state']` attribute,\nwhich is \"enforcing.\" This is in line with the policy of enforcing by\ndefault on RHEL family distributions.\n\nThis has complicated considerations when changing the default\nconfiguration of their systems, whether it is with automated\nconfiguration management or manually. Often, third party help forums\nand support sites recommend setting SELinux to \"permissive.\" This\ncookbook can help with that, in two ways.\n\nYou can simply set the attribute in a role applied to the node:\n\n name \"base\"\n description \"Base role applied to all nodes.\"\n default_attributes(\n \"selinux\" => {\n \"state\" => \"permissive\"\n }\n )\n\nOr, you can apply the recipe to the run list (e.g., in a role):\n\n name \"base\"\n description \"Base role applied to all nodes.\"\n run_list(\n \"recipe[selinux::permissive]\",\n )\n\nRoadmap\n=======\n\nAdd LWRP/Libraries for manipulating security contexts for files and\nservices managed by Chef.\n\nLicense and Author\n==================\n\n- Author:: Sean OMeara (<someara@chef.io>)\n- Author:: Joshua Timberman (<joshua@chef.io>)\n\nCopyright:: 2011-2012, Chef Software, Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n",
"maintainer": "Sam Kottler",
"maintainer_email": "shk@linux.com",
"license": "Apache",
"platforms": {
"redhat": ">= 0.0.0",
"centos": ">= 0.0.0",
"scientific": ">= 0.0.0",
"oracle": ">= 0.0.0",
"amazon": ">= 0.0.0",
"ubuntu": ">= 0.0.0",
"debian": ">= 0.0.0"
},
"dependencies": {
},
"recommendations": {
},
"suggestions": {
},
"conflicting": {
},
"providing": {
},
"replacing": {
},
"attributes": {
"selinux/state": {
"display_name": "SELinux State",
"description": "The SELinux policy enforcement state.",
"choices": [
"enforcing",
"permissive",
"disabled"
],
"recipes": [
"selinux::default"
],
"type": "string",
"default": "enforcing"
}
},
"groupings": {
},
"recipes": {
"selinux": "Use LWRP with state attribute to manage SELinux state.",
"selinux::enforcing": "Use :enforcing as the action for the selinux_state.",
"selinux::permissive": "Use :permissive as the action for the selinux_state.",
"selinux::disabled": "Use :disabled as the action for the selinux_state."
}
}

75
cookbooks/selinux/providers/state.rb Normal file
View File

@@ -0,0 +1,75 @@
#
# Cookbook Name:: selinux
# Provider:: default
#
# Copyright 2011, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require 'chef/mixin/shell_out'
include Chef::Mixin::ShellOut
def whyrun_supported?
true
end
action :enforcing do
unless @current_resource.state == "enforcing"
execute "selinux-enforcing" do
not_if "getenforce | grep -qx 'Enforcing'"
command "setenforce 1"
end
se_template = render_selinux_template("enforcing")
end
end
action :disabled do
unless @current_resource.state == "disabled"
execute "selinux-disabled" do
only_if "selinuxenabled"
command "setenforce 0"
end
se_template = render_selinux_template("disabled")
end
end
action :permissive do
unless @current_resource.state == "permissive" || @current_resource.state == "disabled"
execute "selinux-permissive" do
not_if "getenforce | egrep -qx 'Permissive|Disabled'"
command "setenforce 0"
end
se_template = render_selinux_template("permissive")
end
end
def load_current_resource
@current_resource = Chef::Resource::SelinuxState.new(new_resource.name)
s = shell_out("getenforce")
@current_resource.state(s.stdout.chomp.downcase)
end
def render_selinux_template(state)
template "#{state} selinux config" do
path "/etc/selinux/config"
source "sysconfig/selinux.erb"
cookbook "selinux"
if state == 'permissive'
not_if "getenforce | grep -qx 'Disabled'"
end
variables(
:selinux => state,
:selinuxtype => "targeted"
)
end
end

17
cookbooks/selinux/recipes/_common.rb Normal file
View File

@@ -0,0 +1,17 @@
case node[:platform_family]
when %r(debian|ubuntu)
package 'selinux-utils'
when 'rhel', 'fedora'
package 'libselinux-utils'
else
# implement support for your platform here!
raise "#{node[:platform_family]} not supported!"
end
directory '/etc/selinux' do
owner 'root'
group 'root'
mode '0755'
action :create
end

34
cookbooks/selinux/recipes/default.rb Normal file
View File

@@ -0,0 +1,34 @@
#
# Cookbook Name:: selinux
# Recipe:: default
#
# Copyright 2011, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
include_recipe 'selinux::_common'
selinux_state "SELinux #{node['selinux']['state'].capitalize}" do
action node['selinux']['state'].downcase.to_sym
end
node['selinux']['booleans'].each do |boolean, value|
value = SELinuxServiceHelpers.selinux_bool(value)
unless value.nil?
script "boolean_#{boolean}" do
interpreter "bash"
code "setsebool -P #{boolean} #{value}"
not_if "getsebool #{boolean} |egrep -q \" #{value}\"$"
end
end
end

25
cookbooks/selinux/recipes/disabled.rb Normal file
View File

@@ -0,0 +1,25 @@
#
# Author:: Sean OMeara (<someara@chef.io>)
# Cookbook Name:: selinux
# Recipe:: disabled
#
# Copyright 2011, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'selinux::_common'
selinux_state "SELinux Disabled" do
action :disabled
end

25
cookbooks/selinux/recipes/enforcing.rb Normal file
View File

@@ -0,0 +1,25 @@
#
# Author:: Sean OMeara (<someara@chef.io>)
# Cookbook Name:: selinux
# Recipe:: enforcing
#
# Copyright 2011, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'selinux::_common'
selinux_state "SELinux Enforcing" do
action :enforcing
end

25
cookbooks/selinux/recipes/permissive.rb Normal file
View File

@@ -0,0 +1,25 @@
#
# Author:: Sean OMeara (<someara@chef.io>)
# Cookbook Name:: selinux
# Recipe:: permissive
#
# Copyright 2011, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'selinux::_common'
selinux_state "SELinux Permissive" do
action :permissive
end

22
cookbooks/selinux/resources/state.rb Normal file
View File

@@ -0,0 +1,22 @@
#
# Cookbook Name:: selinux
# Resource:: default
#
# Copyright 2011, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
default_action :nothing
actions :enforcing, :disabled, :permissive
attribute :state, :default => nil

11
cookbooks/selinux/templates/default/sysconfig/selinux.erb Normal file
View File

@@ -0,0 +1,11 @@
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=<%= @selinux %>
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=<%= @selinuxtype %>