Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Commas are not allowed before parentensis closure ')'
- Loading branch information
Showing
7 changed files
with
196 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| Description | ||
| =========== | ||
|
|
||
| Provides recipes for manipulating selinux policy enforcement | ||
|
|
||
| Requirements | ||
| ============ | ||
|
|
||
| RHEL family distribution or other Linux system that uses SELinux. | ||
|
|
||
| ## Platform: | ||
|
|
||
| Tested on RHEL 5.6, 6.0 and 6.1. | ||
|
|
||
| Usage | ||
| ===== | ||
|
|
||
| SELinux is enforcing by default on RHEL family distributions, however the use of SELinux has complicated considerations when using configuration management. Often, users are recommended to set SELinux to permissive mode, or disabled completely. To ensure that SELinux is permissive or disabled, choose the appropriate recipe (`selinux::permissive`, `selinux::disabled`) and apply it to the node early in the run list. For example in a `base` role used by all RHEL systems: | ||
|
|
||
| name "base" | ||
| description "Base role applied to all nodes." | ||
| run_list( | ||
| "recipe[selinux::permissive]", | ||
| ) | ||
|
|
||
| Changes | ||
| ======= | ||
|
|
||
| ## v0.5.0: | ||
|
|
||
| * COOK-678 - add the selinux cookbook to the repository | ||
| * Use main selinux config file (/etc/selinux/config) | ||
| * Use getenforce instead of selinuxenabled for enforcing and permissive | ||
|
|
||
| Roadmap | ||
| ======= | ||
|
|
||
| Use a node attribute to determine which recipe to load automatically from selinux::default. | ||
|
|
||
| Add LWRP/Libraries for manipulating security contexts for files and services managed by Chef. | ||
|
|
||
| License and Author | ||
| ================== | ||
|
|
||
| Author:: Sean OMeara (<someara@opscode.com>) | ||
| Author:: Joshua Timberman (<joshua@opscode.com>) | ||
|
|
||
| Copyright:: 2011, Opscode, Inc | ||
|
|
||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
|
|
||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
|
|
||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| maintainer "Opscode, Inc." | ||
| maintainer_email "someara@opscode.com" | ||
| license "Apache" | ||
| description "Installs/Configures selinux" | ||
| long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) | ||
| version "0.5.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # | ||
| # Cookbook Name:: selinux | ||
| # Recipe:: default | ||
| # | ||
| # Copyright 2011, Opscode, Inc. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # | ||
| # Author:: Sean OMeara (<someara@opscode.com>) | ||
| # Cookbook Name:: selinux | ||
| # Recipe:: disabled | ||
| # | ||
| # Copyright 2011, Opscode, Inc. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| # | ||
|
|
||
| execute "disable selinux enforcement" do | ||
| only_if "selinuxenabled" | ||
| command "setenforce 0" | ||
| action :run | ||
| end | ||
|
|
||
| template "/etc/selinux/config" do | ||
| source "sysconfig/selinux.erb" | ||
| variables( | ||
| :selinux => "disabled", | ||
| :selinuxtype => "targeted" | ||
| ) | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # | ||
| # Author:: Sean OMeara (<someara@opscode.com>) | ||
| # Cookbook Name:: selinux | ||
| # Recipe:: enforcing | ||
| # | ||
| # Copyright 2011, Opscode, Inc. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| # | ||
|
|
||
| execute "enable selinux enforcement" do | ||
| not_if "getenforce | grep -qx 'Enforcing'" | ||
| command "setenforce 1" | ||
| action :run | ||
| end | ||
|
|
||
| template "/etc/selinux/config" do | ||
| source "sysconfig/selinux.erb" | ||
| variables( | ||
| :selinux => "enforcing", | ||
| :selinuxtype => "targeted" | ||
| ) | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| # | ||
| # Author:: Sean OMeara (<someara@opscode.com>) | ||
| # Cookbook Name:: selinux | ||
| # Recipe:: permissive | ||
| # | ||
| # Copyright 2011, Opscode, Inc. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| # | ||
|
|
||
| execute "enable selinux as permissive" do | ||
| not_if "getenforce | egrep -qx 'Permissive|Disabled'" | ||
| command "setenforce 0" | ||
| ignore_failure true | ||
| action :run | ||
| end | ||
|
|
||
| template "/etc/selinux/config" do | ||
| source "sysconfig/selinux.erb" | ||
| not_if "getenforce | grep -qx 'Disabled'" | ||
| variables( | ||
| :selinux => "permissive", | ||
| :selinuxtype => "targeted" | ||
| ) | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # This file controls the state of SELinux on the system. | ||
| # SELINUX= can take one of these three values: | ||
| # enforcing - SELinux security policy is enforced. | ||
| # permissive - SELinux prints warnings instead of enforcing. | ||
| # disabled - SELinux is fully disabled. | ||
| SELINUX=<%= @selinux %> | ||
| # SELINUXTYPE= type of policy in use. Possible values are: | ||
| # targeted - Only targeted network daemons are protected. | ||
| # strict - Full SELinux protection. | ||
| SELINUXTYPE=<%= @selinuxtype %> | ||
|
|