chef 17.10.0 → 18.0.169

data/lib/chef/resource/selinux_fcontext.rb

@@ -0,0 +1,160 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../resource"
+require_relative "selinux/common_helpers"
+
+class Chef
+  class Resource
+    class SelinuxFcontext < Chef::Resource
+      unified_mode true
+
+      provides :selinux_fcontext
+
+      description "Use **selinux_fcontext** resource to set the SELinux context of files with semanage fcontext."
+      introduced "18.0"
+      examples <<~DOC
+      **Allow http servers (e.g. nginx/apache) to modify moodle files**:
+
+      ```ruby
+      selinux_fcontext '/var/www/moodle(/.*)?' do
+        secontext 'httpd_sys_rw_content_t'
+      end
+      ```
+
+      **Adapt a symbolic link**:
+
+      ```ruby
+      selinux_fcontext '/var/www/symlink_to_webroot' do
+        secontext 'httpd_sys_rw_content_t'
+        file_type 'l'
+      end
+      ```
+      DOC
+
+      property :file_spec, String,
+                name_property: true,
+                description: "Path to or regex matching the files or directories to label."
+
+      property :secontext, String,
+                required: %i{add modify manage},
+                description: "SELinux context to assign."
+
+      property :file_type, String,
+                default: "a",
+                equal_to: %w{a f d c b s l p},
+                description: "The type of the file being labeled."
+
+      action_class do
+        include Chef::SELinux::CommonHelpers
+        def current_file_context
+          file_hash = {
+            "a" => "all files",
+            "f" => "regular file",
+            "d" => "directory",
+            "c" => "character device",
+            "b" => "block device",
+            "s" => "socket",
+            "l" => "symbolic link",
+            "p" => "named pipe",
+          }
+
+          contexts = shell_out!("semanage fcontext -l").stdout.split("\n")
+          # pull out file label from user:role:type:level context string
+          contexts.grep(/^#{Regexp.escape(new_resource.file_spec)}\s+#{file_hash[new_resource.file_type]}/) do |c|
+            c.match(/.+ (?<user>.+):(?<role>.+):(?<type>.+):(?<level>.+)$/)[:type]
+            # match returns ['foo'] or [], shift converts that to 'foo' or nil
+          end.shift
+        end
+
+        # Run restorecon to fix label
+        # https://github.com/sous-chefs/selinux_policy/pull/72#issuecomment-338718721
+        def relabel_files
+          spec = new_resource.file_spec
+          escaped = Regexp.escape spec
+
+          # find common path between regex and string
+          common = if spec == escaped
+                     spec
+                   else
+                     index = spec.size.times { |i| break i if spec[i] != escaped[i] }
+                     ::File.dirname spec[0...index]
+                   end
+
+          # if path is not absolute, ignore it and search everything
+          common = "/" if common[0] != "/"
+
+          if ::File.exist? common
+            shell_out!("find #{common.shellescape} -ignore_readdir_race -regextype posix-egrep -regex #{spec.shellescape} -prune -print0 | xargs -0 restorecon -iRv")
+          end
+        end
+      end
+
+      action :manage, description: "Assign the file to the right context regardless of previous state." do
+        run_action(:add)
+        run_action(:modify)
+      end
+
+      action :addormodify, description: "Assign the file context if not set. Update the file context if previously set." do
+        Chef::Log.warn("The :addormodify action for selinux_fcontext is deprecated and will be removed in a future release. Use the :manage action instead.")
+        run_action(:manage)
+      end
+
+      # Create if doesn't exist, do not touch if fcontext is already registered
+      action :add, description: "Assign the file context if not set." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to add SELinux fcontext #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        unless current_file_context
+          converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do
+            shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
+            relabel_files
+          end
+        end
+      end
+
+      # Only modify if fcontext exists & doesn't have the correct label already
+      action :modify, description: "Update the file context if previously set." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to modify SELinux fcontext #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        if current_file_context && current_file_context != new_resource.secontext
+          converge_by "modifying label #{new_resource.secontext} to #{new_resource.file_spec}" do
+            shell_out!("semanage fcontext -m -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
+            relabel_files
+          end
+        end
+      end
+
+      # Delete if exists
+      action :delete, description: "Removes the file context if set. " do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to delete SELinux fcontext #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        if current_file_context
+          converge_by "deleting label for #{new_resource.file_spec}" do
+            shell_out!("semanage fcontext -d -f #{new_resource.file_type} '#{new_resource.file_spec}'")
+            relabel_files
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/selinux_install.rb

@@ -0,0 +1,107 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class SelinuxInstall < Chef::Resource
+      unified_mode true
+
+      provides :selinux_install
+
+      description "Use **selinux_install** resource to encapsulates the set of selinux packages to install in order to manage selinux. It also ensures the directory `/etc/selinux` is created."
+      introduced "18.0"
+      examples <<~DOC
+      **Default installation**:
+
+      ```ruby
+      selinux_install 'example'
+      ```
+
+      **Install with custom packages**:
+
+      ```ruby
+      selinux_install 'example' do
+        packages %w(policycoreutils selinux-policy selinux-policy-targeted)
+      end
+      ```
+
+      **Uninstall**
+      ```ruby
+      selinux_install 'example' do
+        action :remove
+      end
+      ```
+      DOC
+
+      property :packages, [String, Array],
+                default: lazy { default_install_packages },
+                description: "SELinux packages for system."
+
+      action_class do
+        def do_package_action(action)
+          # friendly message for unsupported platforms
+          raise "The platform #{node["platform"]} is not currently supported by the `selinux_install` resource. Please file an issue at https://github.com/chef/chef/issues with details on the platform this cookbook is running on." if new_resource.packages.nil?
+
+          package "selinux" do
+            package_name new_resource.packages
+            action action
+          end
+        end
+      end
+
+      action :install, description: "Install required packages." do
+        do_package_action(action)
+
+        directory "/etc/selinux" do
+          owner "root"
+          group "root"
+          mode "0755"
+          action :create
+        end
+      end
+
+      action :upgrade, description: "Upgrade required packages." do
+        do_package_action(a)
+      end
+
+      action :remove, description: "Remove any SELinux-related packages." do
+        do_package_action(a)
+      end
+
+      private
+
+      #
+      # Get an array of packages to be installed based upon node platform_family
+      #
+      # @return [Array] Array of string of package names
+      def default_install_packages
+        case node["platform_family"]
+        when "rhel", "fedora", "amazon"
+          %w{make policycoreutils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console}
+        when "debian"
+          if node["platform"] == "ubuntu"
+            if node["platform_version"].to_f == 18.04
+              %w{make policycoreutils selinux selinux-basics selinux-policy-default selinux-policy-dev auditd setools}
+            else
+              %w{make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools}
+            end
+          else
+            %w{make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/selinux_module.rb

@@ -0,0 +1,143 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class SelinuxModule < Chef::Resource
+      unified_mode true
+
+      provides :selinux_module
+
+      description "Use **selinux_module** module resource to create an SELinux policy module from a cookbook file or content provided as a string."
+      introduced "18.0"
+      examples <<~DOC
+      **Creating SElinux module from .te file located at `files` directory of your cookbook.**:
+
+      ```ruby
+      selinux_module 'my_policy_module' do
+        source 'my_policy_module.te'
+        action :create
+      end
+      ```
+      DOC
+
+      property :module_name, String,
+                name_property: true,
+                description: "Override the module name."
+
+      property :source, String,
+                description: "Module source file name."
+
+      property :content, String,
+                description: "Module source as String."
+
+      property :cookbook, String,
+                description: "Cookbook to source from module source file from(if it is not located in the current cookbook). The default value is the current cookbook.",
+                desired_state: false
+
+      property :base_dir, String,
+                default: "/etc/selinux/local",
+                description: "Directory to create module source file in."
+
+      action_class do
+        def selinux_module_filepath(type)
+          path = ::File.join(new_resource.base_dir, "#{new_resource.module_name}")
+          path.concat(".#{type}") if type
+        end
+
+        def list_installed_modules
+          shell_out!("semodule --list-modules").stdout.split("\n").map { |x| x.split(/\s/).first }
+        end
+      end
+
+      action :create, description: "Compile a module and install it." do
+        directory new_resource.base_dir
+
+        if property_is_set?(:content)
+          file selinux_module_filepath("te") do
+            content new_resource.content
+
+            mode "0600"
+            owner "root"
+            group "root"
+
+            action :create
+
+            notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
+          end
+        else
+          cookbook_file selinux_module_filepath("te") do
+            cookbook new_resource.cookbook
+            source new_resource.source
+
+            mode "0600"
+            owner "root"
+            group "root"
+
+            action :create
+
+            notifies :run, "execute[Compiling SELinux modules at '#{new_resource.base_dir}']", :immediately
+          end
+        end
+
+        execute "Compiling SELinux modules at '#{new_resource.base_dir}'" do
+          cwd new_resource.base_dir
+          command "make -C #{new_resource.base_dir} -f /usr/share/selinux/devel/Makefile"
+          timeout 120
+          user "root"
+
+          action :nothing
+
+          notifies :run, "execute[Install SELinux module '#{selinux_module_filepath("pp")}']", :immediately
+        end
+
+        raise "Compilation must have failed, no 'pp' file found at: '#{selinux_module_filepath("pp")}'" unless ::File.exist?(selinux_module_filepath("pp"))
+
+        execute "Install SELinux module '#{selinux_module_filepath("pp")}'" do
+          command "semodule --install '#{selinux_module_filepath("pp")}'"
+          action :nothing
+        end
+      end
+
+      action :delete, description: "Remove module source files from `/etc/selinux/local`." do
+        %w{fc if pp te}.each do |type|
+          next unless ::File.exist?(selinux_module_filepath(type))
+
+          file selinux_module_filepath(type) do
+            action :delete
+          end
+        end
+      end
+
+      action :install, description: "Install a compiled module into the system." do
+        raise "Module must be compiled before it can be installed, no 'pp' file found at: '#{selinux_module_filepath("pp")}'" unless ::File.exist?(selinux_module_filepath("pp"))
+
+        unless list_installed_modules.include? new_resource.module_name
+          converge_by "Install SELinux module #{selinux_module_filepath("pp")}" do
+            shell_out!("semodule", "--install", selinux_module_filepath("pp"))
+          end
+        end
+      end
+
+      action :remove, description: "Remove a module from the system." do
+        if list_installed_modules.include? new_resource.module_name
+          converge_by "Remove SELinux module #{new_resource.module_name}" do
+            shell_out!("semodule", "--remove", new_resource.module_name)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/selinux_permissive.rb

@@ -0,0 +1,64 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+
+class Chef
+  class Resource
+    class SelinuxPermissive < Chef::Resource
+      unified_mode true
+
+      provides :selinux_permissive
+
+      description "Use **selinux_permissive** resource to allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely."
+      introduced "18.0"
+      examples <<~DOC
+      **Disable enforcement on Apache**:
+
+      ```ruby
+      selinux_permissive 'httpd_t' do
+        notifies :restart, 'service[httpd]'
+      end
+      ```
+      DOC
+
+      property :context, String,
+                name_property: true,
+                description: "The SELinux context to permit."
+
+      action_class do
+        def current_permissives
+          shell_out!("semanage permissive -ln").stdout.split("\n")
+        end
+      end
+
+      # Create if doesn't exist, do not touch if permissive is already registered (even under different type)
+      action :add, description: "Add a permissive, unless already set." do
+        unless current_permissives.include? new_resource.context
+          converge_by "adding permissive context #{new_resource.context}" do
+            shell_out!("semanage permissive -a '#{new_resource.context}'")
+          end
+        end
+      end
+
+      # Delete if exists
+      action :delete, description: "Remove a permissive, if set." do
+        if current_permissives.include? new_resource.context
+          converge_by "deleting permissive context #{new_resource.context}" do
+            shell_out!("semanage permissive -d '#{new_resource.context}'")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef/resource/selinux_port.rb

@@ -0,0 +1,118 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "../resource"
+require_relative "selinux/common_helpers"
+
+class Chef
+  class Resource
+    class SelinuxPort < Chef::Resource
+      unified_mode true
+
+      provides :selinux_port
+
+      description "Use **selinux_port** resource to allows assigning a network port to a certain SELinux context, e.g. for running a webserver on a non-standard port."
+      introduced "18.0"
+      examples <<~DOC
+      **Allow nginx/apache to bind to port 5678 by giving it the http_port_t context**:
+
+      ```ruby
+      selinux_port '5678' do
+       protocol 'tcp'
+       secontext 'http_port_t'
+      end
+      ```
+      DOC
+
+      property :port, [Integer, String],
+                name_property: true,
+                regex: /^\d+$/,
+                description: "Port to modify."
+
+      property :protocol, String,
+                equal_to: %w{tcp udp},
+                required: %i{manage add modify},
+                description: "Protocol to modify."
+
+      property :secontext, String,
+                required: %i{manage add modify},
+                description: "SELinux context to assign to the port."
+
+      action_class do
+        include Chef::SELinux::CommonHelpers
+        def current_port_context
+          # use awk to see if the given port is within a reported port range
+          shell_out!(
+            <<~CMD
+              seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
+              awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
+            CMD
+          ).stdout.split
+        end
+      end
+
+      action :manage, description: "Assign the port to the right context regardless of previous state." do
+        run_action(:add)
+        run_action(:modify)
+      end
+
+      action :addormodify, description: "Assigns the port context if not set. Updates the port context if previously set." do
+        Chef::Log.warn("The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.")
+        run_action(:manage)
+      end
+
+      # Create if doesn't exist, do not touch if port is already registered (even under different type)
+      action :add, description: "Assign the port context if not set." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        if current_port_context.empty?
+          converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
+            shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
+          end
+        end
+      end
+
+      # Only modify port if it exists & doesn't have the correct context already
+      action :modify, description: "Update the port context if previously set." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
+          converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
+            shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
+          end
+        end
+      end
+
+      # Delete if exists
+      action :delete, description: "Removes the port context if set." do
+        if selinux_disabled?
+          Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
+          return
+        end
+
+        unless current_port_context.empty?
+          converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
+            shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
+          end
+        end
+      end
+
+    end
+  end
+end