Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

selinux_policy (42) Versions 2.4.3

Manages SELinux policy components

Policyfile
Berkshelf
Knife
cookbook 'selinux_policy', '= 2.4.3', :supermarket
cookbook 'selinux_policy', '= 2.4.3'
knife supermarket install selinux_policy
knife supermarket download selinux_policy
README
Dependencies
Changelog
Quality 50%

selinux_policy Cookbook

Cookbook Version
License

This cookbook can be used to manage SELinux policies and components (rather than just enable / disable enforcing). I made it because I needed some SELinux settings done, and the executes started to look annoying.

Requirements

Needs an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute allow_disabled), which will generate warnings and do nothing (but won't break the run). Also requires SELinux's management tools, namely semanage, setsebool and getsebool. Tools are installed by the selinux_policy::install recipe (for RHEL/Debian and the like).

Chef Infra Client

  • 13 or later

Platforms

  • rhel
  • fedora

Attributes

These attributes affect the way all of the resource behave.

  • node['selinux_policy']['allow_disabled'] - Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail. Defaults to true, set to false if you don't have any machines with disabled SELinux.

Usage

  • selinux_policy::install - Installs SELinux policy management tools

This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook. Remember to add depends 'selinux_policy' to your metadata.rb.

boolean

Represents an SELinux boolean. You can either set it, meaning it will be changed without persistence (it will revert to default in the next reboot), or setpersist it (default action), so it'll keep it value after rebooting. Using setpersist requires an active policy (so that the new value can be saved somewhere).

Properties:

  • name: boolean's name. Defaults to resource name.
  • value: Its new value (true/false).
  • force: Use setsebool even if the current value agrees with the requested one.

Example usage:

include_recipe 'selinux_policy::install'

selinux_policy_boolean 'httpd_can_network_connect' do
    value true
    # Make sure nginx is started if this value was modified
    notifies :start,'service[nginx]', :immediate
end

Note: Due to ruby interperting 0 as true, using value 0 is unwise.

port

Allows assigning a network port to a certain SELinux context. As explained here, it can be useful for running Apache on a non-standard port.

Actions:

  • addormodify (default): Assigns the port to the right context, whether it's already listed another context or not at all.
  • add: Assigns the port to the right context it's if not listed (only uses -a).
  • modify: Changes the port's context if it's already listed (only uses -m).
  • delete: Removes the port's context if it's listed (uses -d).

Properties:

  • port: The port in question, defaults to resource name.
  • protocol: tcp/udp.
  • secontext: The SELinux context to assign the port to. Unnecessary when using delete.

Example usage:

include_recipe 'selinux_policy::install'

# Allow nginx to bind to port 5678, by giving it the http_port_t context
selinux_policy_port '5678' do
    protocol 'tcp'
    secontext 'http_port_t'
end

module

Manages SEModules

Actions:

  • fetch: Prepares the module's files for compilation. Allow remote_directory-like behavior
  • compile: Translates a module source directory into a NAME.pp file. Uses make logic for idempotence.
  • install: Adds a compiled module (pp) to the current policy. Only installs if the module was modified this run, force is enabled or it's missing from the current policy. Note: I wish I could compare the existing module to the one generated, but the extract capability was only added in Aug 15. I'll be happy to see a better idea.
  • deploy (default): Runs fetch, compile, install in that order.
  • remove: Removes a module.

Properties:

  • name: The module name. Defaults to resource name.
  • directory: Directory where module is stored. Defaults to a directory inside the Chef cache.
  • content: The module content, can be extracted from audit2allow -m NAME. This can be used to create simple modules without using external files.
  • directory_source: Copies files cookbook to the module directory (uses remote_directory). Allows keeping all of the module's source files in the cookbook. Note: You can pre-create the module directory and populate it in any other way you'd choose.
  • cookbook: Modifies the source cookbook for the remote_directory.
  • force: Installs the module even if it seems fine. Ruins idempotence but should help solve some weird cases.

Example usage:

include_recipe 'selinux_policy::install'

# Allow openvpn to write/delete in '/etc/openvpn'
selinux_policy_module 'openvpn-googleauthenticator' do
  content <<-eos
    module dy-openvpn-googleauthenticator 1.0;

    require {
        type openvpn_t;
        type openvpn_etc_t;
        class file { write unlink };
    }


    #============= openvpn_t ==============
    allow openvpn_t openvpn_etc_t:file { write unlink };
  eos
  action :deploy
end

fcontext

Allows managing the SELinux context of files. This can be used to grant SELinux-protected daemons access to additional / moved files.

Actions:

  • addormodify (default): Assigns the file regexp to the right context, whether it's already listed another context or not at all.
  • add: Assigns the file regexp to the right context it's if not listed (only uses -a).
  • modify: Changes the file regexp context if it's already listed (only uses -m).
  • delete: Removes the file regexp context if it's listed (uses -d).

Properties:

  • file_spec: This is the file regexp in question, defaults to resource name.
  • secontext: The SELinux context to assign the file regexp to. Not required for :delete
  • file_type: Restrict the fcontext to specific file types. See the table below for an overview. See also https://en.wikipedia.org/wiki/Unix_file_types for more info
  • a All files
  • f Regular files
  • d Directory
  • c Character device
  • b Block device
  • s Socket
  • l Symbolic link
  • p Namedpipe

Example usage (see mysql cookbook for example daemons ):

include_recipe 'selinux_policy::install'

# Allow http servers (nginx/apache) to modify moodle files
selinux_policy_fcontext '/var/www/moodle(/.*)?' do
  secontext 'httpd_sys_rw_content_t'
end

# Allow a custom mysql daemon to access its files.
{'mysqld_etc_t' => "/etc/mysql-#{service_name}(/.*)?",
'mysqld_etc_t' => "/etc/mysql-#{service_name}/my\.cnf",
'mysqld_log_t' => "/var/log/mysql-#{service_name}(/.*)?",
'mysqld_db_t' => "/opt/mysql_data_#{service_name}(/.*)?",
'mysqld_var_run_t' => "/var/run/mysql-#{service_name}(/.*)?",
'mysqld_initrc_exec_t' => "/etc/rc\.d/init\.d/mysql-#{service_name}"}.each do |sc, f|
  selinux_policy_fcontext f do
    secontext sc
  end
end

# Adapt a symbolic link
selinux_policy_fcontext '/var/www/symlink_to_webroot' do
  secontext 'httpd_sys_rw_content_t'
  filetype 'l'
end

permissive

Allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.

Actions:

  • add: Adds a permissive, unless it's already added
  • delete: Deletes a permissive if it's listed

Example usage:

include_recipe 'selinux_policy::install'

# Disable enforcement on Nginx
# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/

selinux_policy_permissive 'nginx' do
  notifies :restart, 'service[nginx]'
end

Original Author

Nitzan Raz (backslasher)

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

al_agents Applicable Versions
alfresco-db Applicable Versions
cockpit Applicable Versions
cookbook-openshift3 Applicable Versions
cookbook-openshift3 0.0.1
cookbook-openshift3 0.0.2
cookbook-openshift3 1.0.2
cookbook-openshift3 1.0.3
cookbook-openshift3 1.0.4
cookbook-openshift3 1.0.5
cookbook-openshift3 1.0.6
cookbook-openshift3 1.0.7
cookbook-openshift3 1.0.8
cookbook-openshift3 1.0.9
cookbook-openshift3 1.10.0
cookbook-openshift3 1.10.1
cookbook-openshift3 1.10.2
cookbook-openshift3 1.10.3
cookbook-openshift3 1.10.4
cookbook-openshift3 1.10.5
cookbook-openshift3 1.10.6
cookbook-openshift3 1.10.7
cookbook-openshift3 1.10.8
cookbook-openshift3 1.10.9
cookbook-openshift3 1.10.10
cookbook-openshift3 1.10.11
cookbook-openshift3 1.10.12
cookbook-openshift3 1.10.13
cookbook-openshift3 1.10.14
cookbook-openshift3 1.10.15
cookbook-openshift3 1.10.16
cookbook-openshift3 1.10.17
cookbook-openshift3 1.10.18
cookbook-openshift3 1.10.19
cookbook-openshift3 1.10.20
cookbook-openshift3 1.10.21
cookbook-openshift3 1.10.22
cookbook-openshift3 1.10.23
cookbook-openshift3 1.10.24
cookbook-openshift3 1.10.25
cookbook-openshift3 1.10.26
cookbook-openshift3 1.10.27
cookbook-openshift3 1.10.28
cookbook-openshift3 1.10.29
cookbook-openshift3 1.10.30
cookbook-openshift3 1.10.31
cookbook-openshift3 1.10.32
cookbook-openshift3 1.10.33
cookbook-openshift3 1.10.34
cookbook-openshift3 1.10.35
cookbook-openshift3 1.10.36
cookbook-openshift3 1.10.37
cookbook-openshift3 1.10.38
cookbook-openshift3 1.10.39
cookbook-openshift3 1.10.40
cookbook-openshift3 1.10.41
cookbook-openshift3 1.10.42
cookbook-openshift3 1.10.43
cookbook-openshift3 1.10.44
cookbook-openshift3 1.10.45
cookbook-openshift3 1.10.46
cookbook-openshift3 1.10.47
cookbook-openshift3 1.10.48
cookbook-openshift3 1.10.49
cookbook-openshift3 1.10.50
cookbook-openshift3 1.10.51
cookbook-openshift3 1.10.52
cookbook-openshift3 1.10.53
cookbook-openshift3 1.10.54
cookbook-openshift3 1.10.55
cookbook-openshift3 1.10.56
cookbook-openshift3 1.10.57
cookbook-openshift3 1.10.58
cookbook-openshift3 1.10.59
cookbook-openshift3 1.10.60
cookbook-openshift3 1.10.61
cookbook-openshift3 1.10.62
cookbook-openshift3 1.10.63
cookbook-openshift3 1.10.64
cookbook-openshift3 1.10.66
cookbook-openshift3 1.10.67
cookbook-openshift3 2.0.5
cookbook-openshift3 2.0.6
cookbook-openshift3 2.0.7
cookbook-openshift3 2.0.9
cookbook-openshift3 2.0.10
cookbook-openshift3 2.0.12
cookbook-openshift3 2.0.13
cookbook-openshift3 2.0.14
cookbook-openshift3 2.0.15
cookbook-openshift3 2.0.18
cookbook-openshift3 2.0.19
cookbook-openshift3 2.0.20
cookbook-openshift3 2.0.21
cookbook-openshift3 2.0.22
cookbook-openshift3 2.0.23
cookbook-openshift3 2.0.24
cookbook-openshift3 2.0.26
cookbook-openshift3 2.0.27
cookbook-openshift3 2.0.28
cookbook-openshift3 2.0.29
cookbook-openshift3 2.0.32
cookbook-openshift3 2.0.33
cookbook-openshift3 2.0.41
cookbook-openshift3 2.0.42
cookbook-openshift3 2.0.43
cookbook-openshift3 2.0.44
cookbook-openshift3 2.0.45
cookbook-openshift3 2.0.46
cookbook-openshift3 2.0.47
cookbook-openshift3 2.0.48
cookbook-openshift3 2.0.49
cookbook-openshift3 2.0.50
cookbook-openshift3 2.0.51
cookbook-openshift3 2.0.52
cookbook-openshift3 2.0.53
cookbook-openshift3 2.0.54
cookbook-openshift3 2.0.55
cookbook-openshift3 2.0.57
cookbook-openshift3 2.0.58
cookbook-openshift3 2.0.60
cookbook-openshift3 2.0.62
cookbook-openshift3 2.0.63
cookbook-openshift3 2.0.64
cookbook-openshift3 2.0.65
cookbook-openshift3 2.0.66
cookbook-openshift3 2.0.68
cookbook-openshift3 2.0.69
cookbook-openshift3 2.0.71
cookbook-openshift3 2.0.72
cookbook-openshift3 2.0.74
cookbook-openshift3 2.0.75
cookbook-openshift3 2.0.76
cookbook-openshift3 2.0.77
cookbook-openshift3 2.0.82
cookbook-openshift3 2.0.83
cookbook-openshift3 2.0.85
cookbook-openshift3 2.0.86
cookbook-openshift3 2.0.88
cookbook-openshift3 2.0.90
cookbook-openshift3 2.1.0
cookbook-openshift3 2.1.1
cookbook-openshift3 2.1.2
cookbook-openshift3 2.1.3
cookbook-openshift3 2.1.4
cookbook-openshift3 2.1.5
cookbook-openshift3 2.1.6
cookbook-openshift3 2.1.7
cookbook-openshift3 2.1.8
cookbook-openshift3 2.1.9
cookbook-openshift3 2.1.11
cookbook-openshift3 2.1.13
cookbook-openshift3 2.1.14
cookbook-openshift3 2.1.17
cookbook-openshift3 2.1.18
cookbook-openshift3 2.1.19
cookbook-openshift3 2.1.21
cookbook-openshift3 2.1.23
cookbook-openshift3 2.1.24
cookbook-openshift3 2.1.25
cookbook-openshift3 2.1.26
kloudspeaker Applicable Versions
mariadb Applicable Versions
msodbcsql Applicable Versions
qas Applicable Versions
realmd-sssd Applicable Versions
redisio Applicable Versions
squid Applicable Versions

selinux_policy CHANGELOG

This file is used to changes made in each version of the selinux_policy cookbook.

2.4.3 (2020-08-07)

  • Ship the correct license file since this cookbook was relicensed - @tas50
  • Update testing configs - @tas50
  • Update the maintainer to be Chef Software - @tas50

2.4.2 (2020-08-07)

  • Make sure the setpersist action runs by default not set to match the docs.

2.4.1 - 2020-05-14

  • resolved cookstyle error: resources/module.rb:26:35 convention: Layout/TrailingWhitespace
  • resolved cookstyle error: resources/module.rb:26:36 refactor: ChefModernize/FoodcriticComments

[2.4.0] - 2020-02-13

  • Fix port_defined helper function for Centos 8 compatibility
  • Test fixes

[2.3.6] - 2020-01-26

  • Fix issue on use_selinux function
  • Migrate to github actions
  • Resolved ChefStyle/ImmediateNotificationTiming: Use :immediately instead of :immediate for resource notification timing notifies

[2.3.5] - 2019-02-15

  • Fix resource failure in permissive.rb Caused by #96
  • Migrated testing to circleci

[2.3.4] - 2019-02-07

  • Fix shell_out to use an actual shell. Caused by #88

[2.3.3] - 2019-02-06

  • Perform relabel (restorecon) using xargs while still supporting regexes. Fixes #88

2.3.2 - 2018-11-29

  • Cache which helper method calls

2.3.1 - 2018-11-29

  • Use chef/mixin/which to locate selinux binaries. Fixes #85 & #93

2.3.0 - 2018-11-27

  • Further fixes for the earlier refactoring
  • Repair CI jobs

2.2.0 - 2018-11-21

  • Large refactoring to helpers and resources
  • Add RHEL-8 packages

2.1.0 - 2018-04-12

  • Port definition methods to check for already defined ports
  • Cleanup resource cloning
  • Deprecate support for Chef 12.x now it's EOL
  • Fix Foodcritic warnings & update test platforms

2.0.1 - 2017-04-21

  • Perform relabel (restorecon) using find to support regexes

2.0.0 - 2017-02-23

  • This cookbook has been moved to the Sous Chefs org. See sous-chefs.org for more information
  • Require Chef 12.1 or later
  • Use compat_resource instead of requiring yum
  • Don't install yum::dnf_yum_compat on Fedora since Chef has DNF support now
  • Don't define attributes in the metadata as these aren't used
  • Remove the Vagrantfile
  • Add chef_version requirements to the metadata
  • Test with ChefDK / Rake in Travis instead of gems
  • Resolve Foodcritic, Cookstyle, and Chefspec warnings

1.1.1

  • [7307850] (Adam Ward) Silence fcontext guard output
  • [ad71437] (nitz) Restorecon is now done via shell_out
  • [fa30813] (James Le Cuirot) Change yum dependency to ~> 4.0
  • [cd9a8da] (nitz) Removed selinux enforcing from kitchen, unified runlists

1.1.0

  • [daften] Added file_type for fcontext

1.0.1

  • [backslasher] - Foodcritic and rubocop improvements

1.0.0

  • [equick] - Validating ports better
  • [backslasher] - FContext relabling for flies is now immediate. (Possibly breaking)
  • [backslasher] - testing made slightly more elegant

0.9.6

  • [jhmartin] - Updated README
  • [backslasher] - Major revision of testing

0.9.5

  • [backslasher] - Modified yum dependency

0.9.4

  • [mhorbul] - Fixed state detection in boolean resource

0.9.3

  • [backlsasher] - Fixed testing & kitchen
  • [jbartko] - Added Fedora support

0.9.2

  • [backslasher] - Ignoring nonexisting files in restorecon

0.9.1

  • [backslasher] - Fixed issue with module being partially executed on machines with SELinux disabled

0.9.0

  • [backslasher] - module overhaul: code refactoring, supporting new input, testing, new actions
  • [backslasher] - fcontext overhaul: code refactoring, testing, new action

Note: I don't think I have any breaking changes here. If there are, I apologise and request that you create an issue with a test recipe that fails on the problem (so I can reproduce)

0.8.1

  • [backslasher] - Added Travis CI harness
  • [backslasher] - Fixed typo in README

0.8.0

  • [backslasher] - Test overhaul. Now testing is somewhat reliable when using ports
  • [backslasher] - Port search is a function
  • [backslasher] - Port detection now supports ranges. No possibility to add ranges (yet)

0.7.2

  • [shortdudey123] - ChefSpec matchers, helps testing

0.7.1

  • [backslasher] - Forgot contributor

0.7.0

  • [chewi] - Fixed prereq packages
  • [backslasher] - Modified misleading comment
  • [chewi] - Move helpers into a cookbook-specific module
  • [chewi] - Prevent use_selinux from blowing up on systems without getenforce

0.6.5

  • [backslasher] - Ubuntu installation warning

0.6.4

  • [sauraus] - CentOS 7 support
  • [sauraus] - Typos

0.6.3

  • [backslasher] - Readme updates
  • [kevans] - Added kitchen testing

0.6.2

  • [kevans] - Support Chef 11.8.0 running shellout!()
  • [backslasher] - Simplified support info
  • [backslasher] - ASCIIed files

0.6.1

  • [backslasher] - Migrated to only_if instead of if
  • [backslasher] - README typos

0.6.0

  • [joerg] - Added fcontext resource for managing file contexts under SELinux

0.5.0

  • [backslasher] - Added RHEL5/derivatives support. Thanks to @knightorc.
  • Cookbook will break on RHEL7. If anyone experiences this, please check required packages and create an issue/PR
  • [backslasher] - Machines without SELinux are (opionally) supported. Thanks to @knightroc.

0.4.0

  • [backlasher] - Fixed foodcritic errors

0.3.0

  • [backlasher] - Fixed install.rb syntax. Now it actually works

0.2.0

  • [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
  • [backlasher] - Added permissive resource

0.1.0

  • [backlasher] - Initial release of selinuxpolicy

Collaborator Number Metric
            

2.4.3 passed this metric

Contributing File Metric
            

2.4.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

2.4.3 passed this metric

No Binaries Metric
            

2.4.3 passed this metric

Testing File Metric
            

2.4.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

2.4.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number