cookbook 'selinux', '= 3.0.1'
selinux
(62) Versions
3.0.1
-
-
6.2.2
-
6.2.1
-
6.2.0
-
6.1.19
-
6.1.18
-
6.1.17
-
6.1.16
-
6.1.15
-
6.1.14
-
6.1.13
-
6.1.12
-
6.1.11
-
6.1.10
-
6.1.9
-
6.1.8
-
6.1.7
-
6.1.6
-
6.1.5
-
6.1.4
-
6.1.3
-
6.1.2
-
6.1.1
-
6.1.0
-
6.0.7
-
6.0.6
-
6.0.5
-
6.0.4
-
6.0.3
-
6.0.2
-
6.0.1
-
6.0.0
-
5.1.1
-
5.1.0
-
5.0.0
-
4.0.0
-
3.1.1
-
3.1.0
-
3.0.2
-
3.0.1
-
3.0.0
-
2.1.1
-
2.1.0
-
2.0.3
-
2.0.2
-
2.0.1
-
2.0.0
-
1.0.4
-
1.0.3
-
1.0.2
-
1.0.1
-
1.0.0
-
0.9.0
-
0.8.0
-
0.7.2
-
0.7.0
-
0.6.2
-
0.6.0
-
0.5.6
-
0.5.4
-
0.5.2
-
0.5.0
-
0.1.0
Follow73
- 6.2.2
- 6.2.1
- 6.2.0
- 6.1.19
- 6.1.18
- 6.1.17
- 6.1.16
- 6.1.15
- 6.1.14
- 6.1.13
- 6.1.12
- 6.1.11
- 6.1.10
- 6.1.9
- 6.1.8
- 6.1.7
- 6.1.6
- 6.1.5
- 6.1.4
- 6.1.3
- 6.1.2
- 6.1.1
- 6.1.0
- 6.0.7
- 6.0.6
- 6.0.5
- 6.0.4
- 6.0.3
- 6.0.2
- 6.0.1
- 6.0.0
- 5.1.1
- 5.1.0
- 5.0.0
- 4.0.0
- 3.1.1
- 3.1.0
- 3.0.2
- 3.0.1
- 3.0.0
- 2.1.1
- 2.1.0
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.0.4
- 1.0.3
- 1.0.2
- 1.0.1
- 1.0.0
- 0.9.0
- 0.8.0
- 0.7.2
- 0.7.0
- 0.6.2
- 0.6.0
- 0.5.6
- 0.5.4
- 0.5.2
- 0.5.0
- 0.1.0
Manages SELinux policy state and rules.
cookbook 'selinux', '= 3.0.1', :supermarket
knife supermarket install selinux
knife supermarket download selinux
SELinux Cookbook
The SELinux (Security Enhanced Linux) cookbook provides recipes for manipulating SELinux policy enforcement state.
SELinux can have one of three settings:
Enforcing
- Watches all system access checks, stops all 'Denied access'
- Default mode on RHEL systems
Permissive
- Allows access but reports violations
Disabled
- Disables SELinux from the system but is only read at boot time. If you set this flag, you must reboot.
Disable SELinux only if you plan to not use it. Use Permissive
mode if you just need to debug your system.
Requirements
- Chef 13 or higher
Platform:
- RHEL 6/7
Attributes
-
node['selinux']['state']
- The SELinux policy enforcement state. The state to set by default, to match the default SELinux state on RHEL. Can be "enforcing", "permissive", "disabled" -
node['selinux']['booleans']
- A hash of SELinux boolean names and the values they should be set to. Values can be off, false, or 0 to disable; or on, true, or 1 to enable.
Resources Overview
selinux_state
The selinux_state
resource is used to manage the SELinux state on the system. It does this by using the setenforce
command and rendering the /etc/selinux/config
file from a template.
selinux_module
This provider is intended to be part of the SELinux analysis workflow using tools like audit2allow
.
Actions
-
:create
: install the module; -
:remove
: remove the module;
Options
-
source
: SELinux.te
file, to be parsed, compiled and deployed as module. If simple basename informed, the provider will first look intofiles/default/selinux
directory; -
base_dir
: Base directory to create and manage SELinux files, by default is/etc/selinux/local
; -
force
: Boolean. Indicates if provider should re-install the same version of SELinux module already installed, in case the source.te
file changes;
Attributes
LWRP interface, recipe attributes are not applicable here.
selinux_state
The selinux_state
resource is used to manage the SELinux state on the system. It does this by using the setenforce
command and rendering the /etc/selinux/config
file from a template.
Actions
-
:nothing
: default action, does nothing -
:enforcing
: Sets SELinux to enforcing. -
:disabled
: Sets SELinux to disabled. -
:permissive
: Sets SELinux to permissive.
Properties
-
temporary
- true, false, default false. Allows the temporary change between permissive and enabled states which don't require a reboot. -
selinuxtype
- targeted, mls, default targeted. Determines the policy that will be configured in the/etc/selinux/config
file. The default value istargeted
which enables selinux in a mode where only selected processes are protected.mls
is multilevel security which enables selinux in a mode where all processes are protected.
Examples
Managing SELinux State (selinux_state
)
Simply set SELinux to enforcing or permissive:
selinux_state "SELinux Enforcing" do action :enforcing end selinux_state "SELinux Permissive" do action :permissive end
The action here is based on the value of the node['selinux']['state']
attribute, which we convert to lower-case and make a symbol to pass to the action.
selinux_state "SELinux #{node['selinux']['state'].capitalize}" do action node['selinux']['state'].downcase.to_sym end
The action here is based on the value of the node['selinux']['status']
attribute, which we convert to lower-case and make a symbol to pass to the action.
selinux_state "SELinux #{node['selinux']['status'].capitalize}" do action node['selinux']['status'].downcase.to_sym end
Managing SELinux Modules (selinux_module
)
Consider the following steps to obtain a .te
file, the rule description format employed on SELinux
- Add
selinux
to yourmetadata.rb
, as for instance:depends 'selinux', '>= 0.10.0'
; - Run your SELinux workflow, and add
.te
files on your cookbook files, preferably underfiles/default/selinux
directory; - Write recipes using
selinux_module
provider;
SELinux audit2allow
Workflow
This provider was written with the intention of matching the workflow of audit2allow
(provided by package policycoreutils
), which basically will be:
- Test application and inspect
/var/log/audit/audit.log
log-file with a command like this basic example:grep AVC /var/log/audit/audit.log |audit2allow -M my_application
; - Save
my_application.te
SELinux module source, copy into your cookbook underfiles/default/selinux/my_application.te
; - Make use of
selinux
provider on a recipe, after adding it as a dependency;
For example, add the following on the recipe level:
selinux_module 'MyApplication SELinux Module' do source 'my_application.te' action :create end
Module name is defined on my_application.te
file contents, please note this input, is used during :remove
action. For instance:
selinux_module 'my_application' do action :remove end
selinux_install
The selinux_install
resource is used to encapsulate the set of selinux packages to install in order to manage selinux. It also ensures the directory /etc/selinux
is created.
Recipes
All recipes will deprecate in the near future as they are just using the selinux_state
resource.
default
The default recipe will use the attribute node['selinux']['status']
in the selinux_state
resource's action. By default, this will be :enforcing
.
enforcing
This recipe will use :enforcing
as the selinux_state
action.
permissive
This recipe will use :permissive
as the selinux_state
action.
disabled
This recipe will use :disabled
as the selinux_state
action.
Usage
By default, this cookbook will have SELinux enforcing by default, as the default recipe uses the node['selinux']['status']
attribute, which is "enforcing." This is in line with the policy of enforcing by default on RHEL family distributions.
You can simply set the attribute in a role applied to the node:
name "base"
description "Base role applied to all nodes."
default_attributes(
"selinux" => {
"status" => "permissive"
}
)
Or, you can apply the recipe to the run list (e.g., in a role):
name "base"
description "Base role applied to all nodes."
run_list(
"recipe[selinux::permissive]",
)
License & Authors
- Author: Sean OMeara (sean@sean.io)
- Author: Joshua Timberman (joshua@chef.io)
- Author: Jennifer Davis (sigje@chef.io)
Copyright: 2008-2018, Chef Software, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
selinux Cookbook CHANGELOG
This file is used to list changes made in each version of the selinux cookbook.
3.0.1 (2019-11-14)
- Remove the deprecated ChefSpec report - @tas50
- Allow "-" and "_" for module names - @ramereth
- Update Fedora versions we test on - @tas50
3.0.0 (2019-06-06)
- Support for SELinux Modules, via new resource
selinux_module
, able to compile.te
files, install and remove modules; - Improving test coverage for all resources
- Remove support for Ubuntu/Debian
- Require Chef 13+
2.1.1 (2018-06-07)
- Do not execute setenforce 1 always
- Remove chefspec matchers that are autogenerated now
- Chef 13 Fixes
2.1.0 (2017-09-15)
- Simplify Travis config and fix ChefDK 2.0 failures
- Use bento slugs in Kitchen
- Remove maintainer files
- More cleanup of the maintainer files
- Speed up install with multi-package install
2.0.3 (2017-06-13)
- Fix boolean check within default recipe
2.0.2 (2017-06-05)
- Permissive guard should grep for permissive not just disabled
2.0.1 (2017-05-30)
- Remove class_eval usage
2.0.0 (2017-05-15)
- Deprecate debian family support
- Make default for rhel family use setenforce regardless of whether a temporary change or not. Eliminates the requirement for a required reboot to effect change in the running system.
1.0.4 (2017-04-17)
- Switch to local delivery for testing
- Use the standard apache license string
- Updates for early Chef 12 and Chef 13 compatibility
- Update and add copyright blocks to the various files
1.0.3 (2017-03-14)
- Fix requirement in metadata to reflect need for Chef 12.7 as using action_class in state resource.
1.0.2 (2017-03-01)
- Remove setools* packages from install resource (utility to analyze and query policies, monitor and report audit logs, and manage file context). Future versions of this cookbook that might use this need to handle package install on Oracle Linux as not available in default repo.
1.0.1 (2017-02-26)
- Fix logic error in the permissive state change
1.0.0 (2017-02-26)
-
BREAKING CHANGE
node['selinux']['state']
is nownode['selinux']['status']
to meet Chef 13 requirements. - Update to current cookbook engineering standards
- Rewrite LWRP to 12.5 resources
- Resolved cookstyle errors
-
Update package information for debian based on https://debian-handbook.info/browse/stable/sect.selinux.html
- selinux-activate looks like it's required to ACTUALLY activate selinux on non-RHEL systems. This seems like it could be destructive if unexpected.
Add property temporary to allow for switching between permissive and enabled
Add install resource
v0.9.0 (2015-02-22)
- Initial Debian / Ubuntu support
- Various bug fixes
v0.8.0 (2014-04-23)
- [COOK-4528] - Fix selinux directory permissions
- [COOK-4562] - Basic support for Ubuntu/Debian
v0.7.2 (2014-03-24)
handling minimal installs
v0.7.0 (2014-02-27)
[COOK-4218] Support setting SELinux boolean values
v0.6.2
- Fixing bug introduced in 0.6.0
- adding basic test-kitchen coverage
v0.6.0
- [COOK-760] - selinux enforce/permit/disable based on attribute
v0.5.6
- [COOK-2124] - enforcing recipe fails if selinux is disabled
v0.5.4
- [COOK-1277] - disabled recipe fails on systems w/o selinux installed
v0.5.2
- [COOK-789] - fix dangling commas causing syntax error on some rubies
v0.5.0
- [COOK-678] - add the selinux cookbook to the repository
- Use main selinux config file (/etc/selinux/config)
- Use getenforce instead of selinuxenabled for enforcing and permissive
Collaborator Number Metric
3.0.1 passed this metric
Contributing File Metric
3.0.1 passed this metric
Foodcritic Metric
3.0.1 passed this metric
No Binaries Metric
3.0.1 passed this metric
Testing File Metric
3.0.1 passed this metric
Version Tag Metric
3.0.1 passed this metric
3.0.1 passed this metric
3.0.1 passed this metric
Foodcritic Metric
3.0.1 passed this metric
No Binaries Metric
3.0.1 passed this metric
Testing File Metric
3.0.1 passed this metric
Version Tag Metric
3.0.1 passed this metric
3.0.1 passed this metric
3.0.1 passed this metric
Testing File Metric
3.0.1 passed this metric
Version Tag Metric
3.0.1 passed this metric
3.0.1 passed this metric
3.0.1 passed this metric