99 lines
3.1 KiB
Ruby
99 lines
3.1 KiB
Ruby
#
|
|
# Cookbook:: selinux
|
|
# Resource:: port
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
unified_mode true
|
|
|
|
property :port, [Integer, String],
|
|
name_property: true,
|
|
regex: /^\d+$/,
|
|
description: 'Port to modify'
|
|
|
|
property :protocol, String,
|
|
equal_to: %w(tcp udp),
|
|
required: %i(manage add modify),
|
|
description: 'Protocol to modify'
|
|
|
|
property :secontext, String,
|
|
required: %i(manage add modify),
|
|
description: 'SELinux context to assign to the port'
|
|
|
|
action_class do
|
|
include SELinux::Cookbook::StateHelpers
|
|
|
|
def current_port_context
|
|
# use awk to see if the given port is within a reported port range
|
|
shell_out!(
|
|
<<~CMD
|
|
seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
|
|
awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
|
|
CMD
|
|
).stdout.split
|
|
end
|
|
end
|
|
|
|
action :manage do
|
|
run_action(:add)
|
|
run_action(:modify)
|
|
end
|
|
|
|
action :addormodify do
|
|
Chef::Log.warn('The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.')
|
|
run_action(:manage)
|
|
end
|
|
|
|
# Create if doesn't exist, do not touch if port is already registered (even under different type)
|
|
action :add do
|
|
if selinux_disabled?
|
|
Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
|
|
return
|
|
end
|
|
|
|
if current_port_context.empty?
|
|
converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
|
|
shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
|
|
end
|
|
end
|
|
end
|
|
|
|
# Only modify port if it exists & doesn't have the correct context already
|
|
action :modify do
|
|
if selinux_disabled?
|
|
Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
|
|
return
|
|
end
|
|
|
|
if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
|
|
converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
|
|
shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
|
|
end
|
|
end
|
|
end
|
|
|
|
# Delete if exists
|
|
action :delete do
|
|
if selinux_disabled?
|
|
Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
|
|
return
|
|
end
|
|
|
|
unless current_port_context.empty?
|
|
converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
|
|
shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
|
|
end
|
|
end
|
|
end
|