Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


selinux (58) Versions 0.9.0

Manages SELinux policy state and rules.

cookbook 'selinux', '= 0.9.0', :supermarket
cookbook 'selinux', '= 0.9.0'
knife supermarket install selinux
knife supermarket download selinux
Quality 25%


Provides recipes for manipulating SELinux policy enforcement state.


RHEL family distribution or other Linux system that uses SELinux.


Tested on RHEL 5.8, 6.3

Node Attributes

  • node['selinux']['state'] - The SELinux policy enforcement state.
    The state to set by default, to match the default SELinux state on
    RHEL. Can be "enforcing", "permissive", "disabled"

  • node['selinux']['booleans'] - A hash of SELinux boolean names and the
    values they should be set to. Values can be off, false, or 0 to disable;
    or on, true, or 1 to enable.



The selinux_state LWRP is used to manage the SELinux state on the
system. It does this by using the setenforce command and rendering
the /etc/selinux/config file from a template.


  • :nothing - default action, does nothing
  • :enforcing - Sets SELinux to enforcing.
  • :disabled - Sets SELinux to disabled.
  • :permissive - Sets SELinux to permissive.


The LWRP has no user-settable resource attributes.


Simply set SELinux to enforcing or permissive:

selinux_state "SELinux Enforcing" do
  action :enforcing

selinux_state "SELinux Permissive" do
  action :permissive

The action here is based on the value of the
node['selinux']['state'] attribute, which we convert to lower-case
and make a symbol to pass to the action.

selinux_state "SELinux #{node['selinux']['state'].capitalize}" do
  action node['selinux']['state'].downcase.to_sym


All the recipes now leverage the LWRP described above.


The default recipe will use the attribute node['selinux']['state']
in the selinux_state LWRP's action. By default, this will be :enforcing.


This recipe will use :enforcing as the selinux_state action.


This recipe will use :permissive as the selinux_state action.


This recipe will use :disabled as the selinux_state action.


By default, this cookbook will have SELinux enforcing by default, as
the default recipe uses the node['selinux']['state'] attribute,
which is "enforcing." This is in line with the policy of enforcing by
default on RHEL family distributions.

This has complicated considerations when changing the default
configuration of their systems, whether it is with automated
configuration management or manually. Often, third party help forums
and support sites recommend setting SELinux to "permissive." This
cookbook can help with that, in two ways.

You can simply set the attribute in a role applied to the node:

name "base"
description "Base role applied to all nodes."
  "selinux" => {
    "state" => "permissive"

Or, you can apply the recipe to the run list (e.g., in a role):

name "base"
description "Base role applied to all nodes."


Add LWRP/Libraries for manipulating security contexts for files and
services managed by Chef.

License and Author

Copyright:: 2011-2012, Chef Software, Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

abiquo Applicable Versions
base_install Applicable Versions
centos-test Applicable Versions
cheftest Applicable Versions
cloudless-box Applicable Versions
cloudstack_wrapper Applicable Versions
consul Applicable Versions
corosync-cookbook Applicable Versions
crenv Applicable Versions
dcos Applicable Versions
django_platform Applicable Versions
drupal-cookbook Applicable Versions
eucalyptus Applicable Versions
greysystems-mongodb Applicable Versions
hadoop Applicable Versions
hashicorp-vault Applicable Versions
hdp-cloud Applicable Versions
k8s Applicable Versions
kafka-cluster Applicable Versions
katello Applicable Versions
kube_cluster Applicable Versions
kubernetes Applicable Versions
linux-basic Applicable Versions
linux_basic Applicable Versions
mariadb Applicable Versions
nc_base Applicable Versions
openstack-block-storage Applicable Versions
openstack-common Applicable Versions
paramount Applicable Versions
realmd-sssd Applicable Versions
redisio Applicable Versions
spree Applicable Versions
tungsten Applicable Versions
wordpress Applicable Versions
zenoss Applicable Versions
zookeeper-cluster Applicable Versions

selinux Cookbook CHANGELOG

v0.9.0 (2015-02-22)

  • Initial Debian / Ubuntu support
  • Various bug fixes

v0.8.0 (2014-04-23)

  • [COOK-4528] - Fix selinux directory permissions
  • [COOK-4562] - Basic support for Ubuntu/Debian

v0.7.2 (2014-03-24)

handling minimal installs

v0.7.0 (2014-02-27)

[COOK-4218] Support setting SELinux boolean values


  • Fixing bug introduced in 0.6.0
  • adding basic test-kitchen coverage


  • [COOK-760] - selinux enforce/permit/disable based on attribute


  • [COOK-2124] - enforcing recipe fails if selinux is disabled


  • [COOK-1277] - disabled recipe fails on systems w/o selinux installed


  • [COOK-789] - fix dangling commas causing syntax error on some rubies


  • [COOK-678] - add the selinux cookbook to the repository
  • Use main selinux config file (/etc/selinux/config)
  • Use getenforce instead of selinuxenabled for enforcing and permissive

Collaborator Number Metric

0.9.0 passed this metric

Foodcritic Metric

0.9.0 failed this metric

FC001: Use strings in preference to symbols to access node attributes: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/recipes/_common.rb:2
FC001: Use strings in preference to symbols to access node attributes: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/recipes/_common.rb:9
FC017: LWRP does not notify when updated: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/providers/state.rb:26
FC017: LWRP does not notify when updated: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/providers/state.rb:36
FC017: LWRP does not notify when updated: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/providers/state.rb:46
FC019: Access node attributes in a consistent manner: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/recipes/_common.rb:2
FC019: Access node attributes in a consistent manner: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/recipes/_common.rb:9
FC031: Cookbook without metadata file: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/metadata.rb:1
FC045: Consider setting cookbook name in metadata: /tmp/cook/cb96d8b5ef213bbb96ee6de0/selinux/metadata.rb:1

Foodcritic Metric

0.9.0 failed this metric

FC017: LWRP does not notify when updated: selinux/providers/state.rb:26
FC017: LWRP does not notify when updated: selinux/providers/state.rb:36
FC017: LWRP does not notify when updated: selinux/providers/state.rb:46
FC059: LWRP provider does not declare use_inline_resources: selinux/providers/state.rb:1
Run with Foodcritic Version 8.2.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

License Metric

0.9.0 failed this metric

selinux does not have a valid open source license.
Acceptable licenses include Apache 2.0, apachev2, MIT, mit, GNU Public License 2.0, gplv2, GNU Public License 3.0, gplv3.