Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

selinux_policy (42) Versions 0.3.0

Manages SELinux policy components

Policyfile
Berkshelf
Knife
cookbook 'selinux_policy', '= 0.3.0', :supermarket
cookbook 'selinux_policy', '= 0.3.0'
knife supermarket install selinux_policy
knife supermarket download selinux_policy
README
Dependencies
Changelog
Quality 0%

SELinux Policy Cookbook

This cookbbok can be used to manage SELinux policies and components (rather than just enable / disable enforcing).

I made it because I needed some SELinux settings done, and the executes started to look annoying.

Requirements

Needs an SELinux policy active (so its values can be managed).

Also requires SELinux's management tools, namely semanage, setsebool and getsebool.
Tools are installed by the selinux_policy::install recipe (for RHEL/Debian and the like).

Attributes

None, at the moment.

Usage

This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook.
Remember to add depends 'selinux_policy' to your metadata.rb.

boolean

Represents an SELinux boolean.
You can either set it, meaning it will be changed without persistence (it will revert to default in the next reboot), or setpersist it (default action), so it'll keep it value after rebooting.

Using setpersist requires an active policy (so that the new value can be saved somewhere).

Attributes:

  • name: boolean's name. Defaults to resource name.
  • value: Its new value (true/false).
  • force: Use setsebool even if the current value agrees with the requested one.

Example usage:

selinux_policy_boolean 'httpd_can_network_connect' do
    value true
    # Make sure nginx is started if this value was modified
    notifies :start,'service[nginx]', :immediate
end

Note: Due to ruby interperting 0 as true, using value 0 is unwise.

port

Allows assigning a network port to a certain SELinux context.

As explained here, it can be useful for running Apache on a non-standard port.

Actions:

  • addormodify (default): Assigns the port to the right context, whether it's already listed another context or not at all.
  • add: Assigns the port to the right context it's if not listed (only uses -a).
  • modify: Changes the port's context if it's already listed (only uses -m).
  • delete: Removes the port's context if it's listed (uses -d).

Attributes:

  • port: The port in question, defaults to resource name.
  • protocol: tcp/udp.
  • secontext: The SELinux context to assign the port to. Uneeded when using delete.

Example usage:

# Allow nginx to bind to port 5678, by giving it the http_port_t context
selinux_policy_port '5678' do
    protocol 'tcp'
    secontext 'http_port_t'
end

module

Manages SEModules

Actions:

  • deploy (default): Compiles a module from it's te file and deploys it. Deploys only when one of the following is true:
    • The module isn't currently present
    • force is enabled
    • The policy file has changed
  • remove: Removes a module

Example usage:

# Allow openvpn to write/delete in '/etc/openvpn'
selinux_policy_module 'openvpn-googleauthenticator' do
  content '
module dy-openvpn-googleauthenticator 1.0;

require {
    type openvpn_t;
    type openvpn_etc_t;
    class file { write unlink };
}


#============= openvpn_t ==============
allow openvpn_t openvpn_etc_t:file { write unlink };
'
  action :deploy
end

permissive

Allows some types to misbehave without stopping them.

Not as good as specific policies, but better than disabling SELinux entirely.

Actions:

  • add: Adds a permissive, unless it's already added
  • delete: Deletes a permissive if it's listed

Example usage:

# Disable enforcement on Nginx
# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/

selinux_policy_permissive 'nginx' do
  notifies :restart, 'service[nginx]'
end

Contributing

The generic method seems fine to me:

  1. Fork the repository on Github
  2. Create a named feature branch (like add_component_x)
  3. Write your change
  4. Write tests for your change (if applicable)
  5. Run the tests, ensuring they all pass
  6. Submit a Pull Request using Github

License and Authors

Licensed GPL v2

Author: Nitzan Raz (backslasher)

I'll be happy to accept contributions or to hear from you!

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

al_agents Applicable Versions
alfresco-db Applicable Versions
cockpit Applicable Versions
cookbook-openshift3 Applicable Versions
cookbook-openshift3 0.0.1
cookbook-openshift3 0.0.2
cookbook-openshift3 1.0.2
cookbook-openshift3 1.0.3
cookbook-openshift3 1.0.4
cookbook-openshift3 1.0.5
cookbook-openshift3 1.0.6
cookbook-openshift3 1.0.7
cookbook-openshift3 1.0.8
cookbook-openshift3 1.0.9
cookbook-openshift3 1.10.0
cookbook-openshift3 1.10.1
cookbook-openshift3 1.10.2
cookbook-openshift3 1.10.3
cookbook-openshift3 1.10.4
cookbook-openshift3 1.10.5
cookbook-openshift3 1.10.6
cookbook-openshift3 1.10.7
cookbook-openshift3 1.10.8
cookbook-openshift3 1.10.9
cookbook-openshift3 1.10.10
cookbook-openshift3 1.10.11
cookbook-openshift3 1.10.12
cookbook-openshift3 1.10.13
cookbook-openshift3 1.10.14
cookbook-openshift3 1.10.15
cookbook-openshift3 1.10.16
cookbook-openshift3 1.10.17
cookbook-openshift3 1.10.18
cookbook-openshift3 1.10.19
cookbook-openshift3 1.10.20
cookbook-openshift3 1.10.21
cookbook-openshift3 1.10.22
cookbook-openshift3 1.10.23
cookbook-openshift3 1.10.24
cookbook-openshift3 1.10.25
cookbook-openshift3 1.10.26
cookbook-openshift3 1.10.27
cookbook-openshift3 1.10.28
cookbook-openshift3 1.10.29
cookbook-openshift3 1.10.30
cookbook-openshift3 1.10.31
cookbook-openshift3 1.10.32
cookbook-openshift3 1.10.33
cookbook-openshift3 1.10.34
cookbook-openshift3 1.10.35
cookbook-openshift3 1.10.36
cookbook-openshift3 1.10.37
cookbook-openshift3 1.10.38
cookbook-openshift3 1.10.39
cookbook-openshift3 1.10.40
cookbook-openshift3 1.10.41
cookbook-openshift3 1.10.42
cookbook-openshift3 1.10.43
cookbook-openshift3 1.10.44
cookbook-openshift3 1.10.45
cookbook-openshift3 1.10.46
cookbook-openshift3 1.10.47
cookbook-openshift3 1.10.48
cookbook-openshift3 1.10.49
cookbook-openshift3 1.10.50
cookbook-openshift3 1.10.51
cookbook-openshift3 1.10.52
cookbook-openshift3 1.10.53
cookbook-openshift3 1.10.54
cookbook-openshift3 1.10.55
cookbook-openshift3 1.10.56
cookbook-openshift3 1.10.57
cookbook-openshift3 1.10.58
cookbook-openshift3 1.10.59
cookbook-openshift3 1.10.60
cookbook-openshift3 1.10.61
cookbook-openshift3 1.10.62
cookbook-openshift3 1.10.63
cookbook-openshift3 1.10.64
cookbook-openshift3 1.10.66
cookbook-openshift3 1.10.67
cookbook-openshift3 2.0.5
cookbook-openshift3 2.0.6
cookbook-openshift3 2.0.7
cookbook-openshift3 2.0.9
cookbook-openshift3 2.0.10
cookbook-openshift3 2.0.12
cookbook-openshift3 2.0.13
cookbook-openshift3 2.0.14
cookbook-openshift3 2.0.15
cookbook-openshift3 2.0.18
cookbook-openshift3 2.0.19
cookbook-openshift3 2.0.20
cookbook-openshift3 2.0.21
cookbook-openshift3 2.0.22
cookbook-openshift3 2.0.23
cookbook-openshift3 2.0.24
cookbook-openshift3 2.0.26
cookbook-openshift3 2.0.27
cookbook-openshift3 2.0.28
cookbook-openshift3 2.0.29
cookbook-openshift3 2.0.32
cookbook-openshift3 2.0.33
cookbook-openshift3 2.0.41
cookbook-openshift3 2.0.42
cookbook-openshift3 2.0.43
cookbook-openshift3 2.0.44
cookbook-openshift3 2.0.45
cookbook-openshift3 2.0.46
cookbook-openshift3 2.0.47
cookbook-openshift3 2.0.48
cookbook-openshift3 2.0.49
cookbook-openshift3 2.0.50
cookbook-openshift3 2.0.51
cookbook-openshift3 2.0.52
cookbook-openshift3 2.0.53
cookbook-openshift3 2.0.54
cookbook-openshift3 2.0.55
cookbook-openshift3 2.0.57
cookbook-openshift3 2.0.58
cookbook-openshift3 2.0.60
cookbook-openshift3 2.0.62
cookbook-openshift3 2.0.63
cookbook-openshift3 2.0.64
cookbook-openshift3 2.0.65
cookbook-openshift3 2.0.66
cookbook-openshift3 2.0.68
cookbook-openshift3 2.0.69
cookbook-openshift3 2.0.71
cookbook-openshift3 2.0.72
cookbook-openshift3 2.0.74
cookbook-openshift3 2.0.75
cookbook-openshift3 2.0.76
cookbook-openshift3 2.0.77
cookbook-openshift3 2.0.82
cookbook-openshift3 2.0.83
cookbook-openshift3 2.0.85
cookbook-openshift3 2.0.86
cookbook-openshift3 2.0.88
cookbook-openshift3 2.0.90
cookbook-openshift3 2.1.0
cookbook-openshift3 2.1.1
cookbook-openshift3 2.1.2
cookbook-openshift3 2.1.3
cookbook-openshift3 2.1.4
cookbook-openshift3 2.1.5
cookbook-openshift3 2.1.6
cookbook-openshift3 2.1.7
cookbook-openshift3 2.1.8
cookbook-openshift3 2.1.9
cookbook-openshift3 2.1.11
cookbook-openshift3 2.1.13
cookbook-openshift3 2.1.14
cookbook-openshift3 2.1.17
cookbook-openshift3 2.1.18
cookbook-openshift3 2.1.19
cookbook-openshift3 2.1.21
cookbook-openshift3 2.1.23
cookbook-openshift3 2.1.24
cookbook-openshift3 2.1.25
cookbook-openshift3 2.1.26
kloudspeaker Applicable Versions
mariadb Applicable Versions
msodbcsql Applicable Versions
qas Applicable Versions
realmd-sssd Applicable Versions
redisio Applicable Versions
squid Applicable Versions

selinuxpolicy CHANGELOG

This file is used to list changes made in each version of the selinuxpolicy cookbook.

0.3.0

  • [backlasher] - Fixed install.rb syntax. Now it actually works

0.2.0

  • [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
  • [backlasher] - Added permissive resource

0.1.0

  • [backlasher] - Initial release of selinuxpolicy

Foodcritic Metric
            

0.3.0 failed this metric

FC001: Use strings in preference to symbols to access node attributes: /tmp/cook/efe26f1dca8bbcf4ae9b1db4/selinux_policy/recipes/install.rb:9
FC017: LWRP does not notify when updated: /tmp/cook/efe26f1dca8bbcf4ae9b1db4/selinux_policy/providers/boolean.rb:7
FC017: LWRP does not notify when updated: /tmp/cook/efe26f1dca8bbcf4ae9b1db4/selinux_policy/providers/boolean.rb:12
FC017: LWRP does not notify when updated: /tmp/cook/efe26f1dca8bbcf4ae9b1db4/selinux_policy/providers/module.rb:25
FC017: LWRP does not notify when updated: /tmp/cook/efe26f1dca8bbcf4ae9b1db4/selinux_policy/providers/port.rb:7
FC017: LWRP does not notify when updated: /tmp/cook/efe26f1dca8bbcf4ae9b1db4/selinux_policy/providers/port.rb:15
FC017: LWRP does not notify when updated: /tmp/cook/efe26f1dca8bbcf4ae9b1db4/selinux_policy/providers/port.rb:22
FC017: LWRP does not notify when updated: /tmp/cook/efe26f1dca8bbcf4ae9b1db4/selinux_policy/providers/port.rb:28