cookbook 'selinux_policy', '= 0.6.5'
selinux_policy
(42) Versions
0.6.5
-
Follow26
Manages SELinux policy components
cookbook 'selinux_policy', '= 0.6.5', :supermarket
knife supermarket install selinux_policy
knife supermarket download selinux_policy
SELinux Policy Cookbook
This cookbbok can be used to manage SELinux policies and components (rather than just enable / disable enforcing).
I made it because I needed some SELinux settings done, and the execute
s started to look annoying.
Requirements
Needs an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute allow_disabled
), which will generate warnings and do nothing (but won't break the run).
Also requires SELinux's management tools, namely semanage
, setsebool
and getsebool
.
Tools are installed by the selinux_policy::install
recipe (for RHEL/Debian and the like).
Attributes
These attributes affect the way all of the LWRPs are behaving.
-
node['selinux_policy']['allow_disabled']
- Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail.
Defaults totrue
, set tofalse
if you don't have any machines with disabled SELinux.
Usage
This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook.
Remember to add depends 'selinux_policy'
to your metadata.rb
.
boolean
Represents an SELinux boolean.
You can either set
it, meaning it will be changed without persistence (it will revert to default in the next reboot), or setpersist
it (default action), so it'll keep it value after rebooting.
Using setpersist
requires an active policy (so that the new value can be saved somewhere).
Attributes:
-
name
: boolean's name. Defaults to resource name. -
value
: Its new value (true
/false
). -
force
: Usesetsebool
even if the current value agrees with the requested one.
Example usage:
selinux_policy_boolean 'httpd_can_network_connect' do value true # Make sure nginx is started if this value was modified notifies :start,'service[nginx]', :immediate end
Note: Due to ruby interperting 0
as true
, using value 0
is unwise.
port
Allows assigning a network port to a certain SELinux context.
As explained here, it can be useful for running Apache on a non-standard port.
Actions:
-
addormodify
(default): Assigns the port to the right context, whether it's already listed another context or not at all. -
add
: Assigns the port to the right context it's if not listed (only uses-a
). -
modify
: Changes the port's context if it's already listed (only uses-m
). -
delete
: Removes the port's context if it's listed (uses-d
).
Attributes:
-
port
: The port in question, defaults to resource name. -
protocol
:tcp
/udp
. -
secontext
: The SELinux context to assign the port to. Uneeded when usingdelete
.
Example usage:
# Allow nginx to bind to port 5678, by giving it the http_port_t context selinux_policy_port '5678' do protocol 'tcp' secontext 'http_port_t' end
module
Manages SEModules
Actions:
-
deploy
(default): Compiles a module from it'ste
file and deploys it. Deploys only when one of the following is true:- The module isn't currently present
-
force
is enabled - The policy file has changed
-
remove
: Removes a module
Attributes:
-
name
: The module name. Defaults to resource name. -
content
: The module content, can be extracted fromaudit2allow -m NAME
-
force
: Whether to install the module even if it seems unnecessary. Defaults to false, can help when the module was modified "under the nose" of Chef (since we don't actually download the curernt module and decompile when comparing).
Example usage:
# Allow openvpn to write/delete in '/etc/openvpn' selinux_policy_module 'openvpn-googleauthenticator' do content ' module dy-openvpn-googleauthenticator 1.0; require { type openvpn_t; type openvpn_etc_t; class file { write unlink }; } #============= openvpn_t ============== allow openvpn_t openvpn_etc_t:file { write unlink }; ' action :deploy end
fcontext
Allows managing the SELinux context of files.
This can be used to grant SELinux-protected daemons access to additional / moved files.
Actions:
-
addormodify
(default): Assigns the file regexp to the right context, whether it's already listed another context or not at all. -
add
: Assigns the file regexp to the right context it's if not listed (only uses -a). -
modify
: Changes the file regexp context if it's already listed (only uses -m). -
delete
: Removes the file regexp context if it's listed (uses -d).
Attributes:
-
file_spec
: This is the file regexp in question, defaults to resource name. -
secontext
: The SELinux context to assign the file regexp to. Not needed when using delete.
Example usage (see mysql cookbook for example daemons ):
# Allow http servers (nginx/apache) to modify moodle files selinux_policy_fcontext '/var/www/moodle(/.*)?' do secontext 'httpd_sys_rw_content_t' end # Allow a custom mysql daemon to access its files. {'mysqld_etc_t' => "/etc/mysql-#{service_name}(/.*)?", 'mysqld_etc_t' => "/etc/mysql-#{service_name}/my\.cnf", 'mysqld_log_t' => "/var/log/mysql-#{service_name}(/.*)?", 'mysqld_db_t' => "/opt/mysql_data_#{service_name}(/.*)?", 'mysqld_var_run_t' => "/var/run/mysql-#{service_name}(/.*)?", 'mysqld_initrc_exec_t' => "/etc/rc\.d/init\.d/mysql-#{service_name}"}.each do |sc, f| selinux_policy_fcontext f do secontext sc end end
permissive
Allows some types to misbehave without stopping them.
Not as good as specific policies, but better than disabling SELinux entirely.
Actions:
-
add
: Adds a permissive, unless it's already added -
delete
: Deletes a permissive if it's listed
Example usage:
# Disable enforcement on Nginx # As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/ selinux_policy_permissive 'nginx' do notifies :restart, 'service[nginx]' end
Testing
We currently use a very basic kitchen recipe for testing.
We also only test against CentOS (because Ubuntu comes with SELinux disabled and restarting mid-test is hard).
Chef 11 Support
I don't use Chef 11, but stuff seems to work OK to other people.
Contributing
The generic method seems fine to me:
- Fork the repository on Github
- Create a named feature branch (like
add_component_x
) - Write your change
- Write tests for your change (if applicable)
- Run the tests, ensuring they all pass
- Submit a Pull Request using Github
License and Authors
Licensed GPL v2
Author: Nitzan Raz (backslasher)
Contributors:
* Joerg Herzinger (http://www.bytesource.net)
* Wade Peacock (http://www.visioncritical.com)
* Kieren Evans (http://kle.me)
* Antek Baranski
I'll be happy to accept contributions or to hear from you!
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
selinuxpolicy CHANGELOG
This file is used to list changes made in each version of the selinuxpolicy cookbook.
0.6.5
- [backslasher] - Ubuntu installation warning
0.6.4
- [sauraus] - CentOS 7 support
- [sauraus] - Typos
0.6.3
- [backslasher] - Readme updates
- [kevans] - Added kitchen testing
0.6.2
- [kevans] - Support Chef 11.8.0 running shellout!()
- [backslasher] - Simplified support info
- [backslasher] - ASCIIed files
0.6.1
- [backslasher] - Migrated to
only_if
instead of if - [backslasher] - README typos
0.6.0
- [joerg] - Added fcontext resource for managing file contexts under SELinux
0.5.0
- [backslasher] - Added RHEL5/derivatives support. Thanks to @knightorc. Cookbook will break on RHEL7. If anyone expiriences this, please check required packages and create an issue/PR
- [backslasher] - Machines without SELinux are (opionally) supported. Thanks to @knightroc.
0.4.0
- [backlasher] - Fixed foodcritic errors
0.3.0
- [backlasher] - Fixed
install.rb
syntax. Now it actually works
0.2.0
- [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
- [backlasher] - Added permissive resource
0.1.0
- [backlasher] - Initial release of selinuxpolicy
Foodcritic Metric
0.6.5 passed this metric
0.6.5 passed this metric