kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity
chef/cookbooks/selinux/resources/port.rb
Greg Karékinian 6116729907 Set up Redis using the latest version of redisio 
This replaces the deprecated redis cookbook. Compiles the latest version
of Redis, currently 7.0.11

Refs #488
2023-06-19 16:02:58 +02:00

99 lines
3.1 KiB
Ruby
Raw Blame History

#
# Cookbook:: selinux
# Resource:: port
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
unified_mode true
property :port, [Integer, String],
name_property: true,
regex: /^\d+$/,
description: 'Port to modify'
property :protocol, String,
equal_to: %w(tcp udp),
required: %i(manage add modify),
description: 'Protocol to modify'
property :secontext, String,
required: %i(manage add modify),
description: 'SELinux context to assign to the port'
action_class do
include ::SELinux::Cookbook::StateHelpers
def current_port_context
# use awk to see if the given port is within a reported port range
shell_out!(
<<~CMD
seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
CMD
).stdout.split
end
end
action :manage do
run_action(:add)
run_action(:modify)
end
action :addormodify do
Chef::Log.warn('The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.')
run_action(:manage)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add do
if selinux_disabled?
Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if current_port_context.empty?
converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Only modify port if it exists & doesn't have the correct context already
action :modify do
if selinux_disabled?
Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Delete if exists
action :delete do
if selinux_disabled?
Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
return
end
unless current_port_context.empty?
converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
Reference in New Issue View Git Blame Copy Permalink