Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

RSS

selinux (20) Versions 2.0.2

Manages SELinux policy state

Berkshelf/Librarian
Policyfile
Knife
cookbook 'selinux', '= 2.0.2'
cookbook 'selinux', '= 2.0.2', :supermarket
knife cookbook site install selinux
knife cookbook site download selinux
README
Dependencies
Changelog
Quality

SELinux Cookbook

Build Status Cookbook Version

The SELinux (Security Enhanced Linux) cookbook provides recipes for manipulating SELinux policy enforcement state.

SELinux can have one of 3 settings

  • Enforcing
    • Watches all system access checks, stops all 'Denied access'
    • Default mode on RHEL systems
  • Permissive
    • Allows access but reports violations
  • Disabled
    • Disables SELinux from the system but is only read at boot time. If you set this flag, you must reboot.

Disable SELinux only if you plan to not use it. Use Permissive mode if you just need to debug your system.

Requirements

  • Chef 12.7 or higher

Platform:

The following platforms have been tested with Test Kitchen:

centos-6 centos-7

NOTE Support for debian and ubuntu is deprecated. It will be removed with the next release. The behavior on debian and rhel family operating systems is different as of 2.0.0. On debian and ubuntu systems if you want to enable SELinux you will need to do a few extra steps. As these are potentially destructive, rather than adding them to this cookbook adding this information here:

  • selinux-activate - Running selinux-activate will add parameters to the kernel, update grub configuration files, and set the file system to relabel upon reboot
  • reboot for settings to take effect.

Usage

Attributes

  • node['selinux']['booleans'] - A hash of SELinux boolean names and the values they should be set to. Values can be off, false, or 0 to disable; or on, true, or 1 to enable.

Resources Overview

selinux_state

The selinux_state resource is used to manage the SELinux state on the system. It does this by using the setenforce command and rendering the /etc/selinux/config file from a template.

Actions

  • :nothing - default action, does nothing
  • :enforcing - Sets SELinux to enforcing.
  • :disabled - Sets SELinux to disabled.
  • :permissive - Sets SELinux to permissive.

Attributes

  • temporary - true, false, default false. Allows the temporary change between permisive and enabled states which don't require a reboot.
  • selinuxtype - targeted, mls, default targeted. Determines the policy that will be configured in the /etc/selinux/config file. The default value is targeted which enables selinux in a mode where only selected processes are protected. mls is multilevel security which enables selinux in a mode where all processes are protected.

Examples

Simply set SELinux to enforcing or permissive:

selinux_state "SELinux Enforcing" do
  action :enforcing
end

selinux_state "SELinux Permissive" do
  action :permissive
end

The action here is based on the value of the node['selinux']['status'] attribute, which we convert to lower-case and make a symbol to pass to the action.

selinux_state "SELinux #{node['selinux']['status'].capitalize}" do
  action node['selinux']['status'].downcase.to_sym
end

selinux_install

The selinux_install resource is used to encapsulate the set of selinux packages to install in order to manage selinux. It also ensures the directory /etc/selinux is created.

Recipes

All recipes will deprecate in the near future as they are just using the selinux_state resource.

default

The default recipe will use the attribute node['selinux']['status'] in the selinux_state LWRP's action. By default, this will be :enforcing.

enforcing

This recipe will use :enforcing as the selinux_state action.

permissive

This recipe will use :permissive as the selinux_state action.

disabled

This recipe will use :disabled as the selinux_state action.

Usage

By default, this cookbook will have SELinux enforcing by default, as the default recipe uses the node['selinux']['status'] attribute, which is "enforcing." This is in line with the policy of enforcing by default on RHEL family distributions.

You can simply set the attribute in a role applied to the node:

name "base"
description "Base role applied to all nodes."
default_attributes(
  "selinux" => {
    "status" => "permissive"
  }
)

Or, you can apply the recipe to the run list (e.g., in a role):

name "base"
description "Base role applied to all nodes."
run_list(
  "recipe[selinux::permissive]",
)

License & Authors

Copyright: 2008-2017, Chef Software, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

abiquo Applicable Versions
base_install Applicable Versions
centos-test Applicable Versions
cloudless-box Applicable Versions
cloudstack_wrapper Applicable Versions
consul Applicable Versions
crenv Applicable Versions
dcos Applicable Versions
drupal-cookbook Applicable Versions
eucalyptus Applicable Versions
greysystems-mongodb Applicable Versions
hadoop Applicable Versions
hashicorp-vault Applicable Versions
k8s Applicable Versions
kafka-cluster Applicable Versions
katello Applicable Versions
kubernetes Applicable Versions
linux-basic Applicable Versions
linux_basic Applicable Versions
realmd-sssd Applicable Versions
spree Applicable Versions
tungsten Applicable Versions
wordpress Applicable Versions
zenoss Applicable Versions
zookeeper-cluster Applicable Versions

selinux Cookbook CHANGELOG

This file is used to list changes made in each version of the selinux cookbook.

2.0.2 (2017-06-05)

  • Permissive guard should grep for permissive not just disabled

2.0.1 (2017-05-30)

  • Remove class_eval usage

2.0.0 (2017-05-15)

  • Deprecate debian family support
  • Make default for rhel family use setenforce regardless of whether a temporary change or not. Eliminates the requirement for a required reboot to effect change in the running system.

1.0.4 (2017-04-17)

  • Switch to local delivery for testing
  • Use the standard apache license string
  • Updates for early Chef 12 and Chef 13 compatibility
  • Update and add copyright blocks to the various files

1.0.3 (2017-03-14)

  • Fix requirement in metadata to reflect need for Chef 12.7 as using action_class in state resource.

1.0.2 (2017-03-01)

  • Remove setools* packages from install resource (utility to analyze and query policies, monitor and report audit logs, and manage file context). Future versions of this cookbook that might use this need to handle package install on Oracle Linux as not available in default repo.

1.0.1 (2017-02-26)

  • Fix logic error in the permissive state change

1.0.0 (2017-02-26)

  • BREAKING CHANGE node['selinux']['state'] is now node['selinux']['status'] to meet Chef 13 requirements.
  • Update to current cookbook engineering standards
  • Rewrite LWRP to 12.5 resources
  • Resolved cookstyle errors
  • Update package information for debian based on https://debian-handbook.info/browse/stable/sect.selinux.html
    • selinux-activate looks like it's required to ACTUALLY activate selinux on non-RHEL systems. This seems like it could be destructive if unexpected.
  • Add property temporary to allow for switching between permissive and enabled
  • Add install resource

v0.9.0 (2015-02-22)

  • Initial Debian / Ubuntu support
  • Various bug fixes

v0.8.0 (2014-04-23)

  • [COOK-4528] - Fix selinux directory permissions
  • [COOK-4562] - Basic support for Ubuntu/Debian

v0.7.2 (2014-03-24)

handling minimal installs

v0.7.0 (2014-02-27)

[COOK-4218] Support setting SELinux boolean values

v0.6.2

  • Fixing bug introduced in 0.6.0
  • adding basic test-kitchen coverage

v0.6.0

  • [COOK-760] - selinux enforce/permit/disable based on attribute

v0.5.6

  • [COOK-2124] - enforcing recipe fails if selinux is disabled

v0.5.4

  • [COOK-1277] - disabled recipe fails on systems w/o selinux installed

v0.5.2

  • [COOK-789] - fix dangling commas causing syntax error on some rubies

v0.5.0

  • [COOK-678] - add the selinux cookbook to the repository
  • Use main selinux config file (/etc/selinux/config)
  • Use getenforce instead of selinuxenabled for enforcing and permissive

Collaborator Number Metric
            

2.0.2 passed this metric

Contributing File Metric
            

2.0.2 passed this metric

Foodcritic Metric
            

2.0.2 passed this metric

License Metric
            

2.0.2 passed this metric

No Binaries Metric
            

2.0.2 passed this metric

Publish Metric
            

2.0.2 passed this metric

Supported Platforms Metric
            

2.0.2 passed this metric

Testing File Metric
            

2.0.2 passed this metric

Version Tag Metric
            

2.0.2 passed this metric