chef 17.10.95 → 18.0.169
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +16 -8
- data/README.md +7 -7
- data/Rakefile +3 -22
- data/{chef-universal-mingw32.gemspec → chef-universal-mingw-ucrt.gemspec} +8 -7
- data/chef.gemspec +14 -7
- data/lib/chef/api_client_v1.rb +9 -1
- data/lib/chef/application/exit_code.rb +3 -3
- data/lib/chef/client.rb +169 -17
- data/lib/chef/compliance/input.rb +1 -1
- data/lib/chef/compliance/profile.rb +1 -1
- data/lib/chef/compliance/profile_collection.rb +0 -1
- data/lib/chef/compliance/waiver.rb +1 -1
- data/lib/chef/cookbook/syntax_check.rb +2 -2
- data/lib/chef/dsl/reader_helpers.rb +1 -1
- data/lib/chef/dsl/rest_resource.rb +77 -0
- data/lib/chef/event_dispatch/base.rb +3 -0
- data/lib/chef/exceptions.rb +8 -0
- data/lib/chef/http/authenticator.rb +170 -3
- data/lib/chef/http/ssl_policies.rb +3 -3
- data/lib/chef/mixin/checksum.rb +0 -6
- data/lib/chef/mixin/powershell_exec.rb +5 -28
- data/lib/chef/node/mixin/immutablize_array.rb +1 -0
- data/lib/chef/property.rb +5 -3
- data/lib/chef/provider/file.rb +2 -2
- data/lib/chef/provider/group/windows.rb +1 -1
- data/lib/chef/provider/http_request.rb +11 -9
- data/lib/chef/provider/mount/linux.rb +5 -0
- data/lib/chef/provider/mount/mount.rb +8 -0
- data/lib/chef/provider/mount/windows.rb +1 -1
- data/lib/chef/provider/package/chocolatey.rb +1 -18
- data/lib/chef/provider/package/rubygems.rb +1 -1
- data/lib/chef/provider/package/windows/msi.rb +2 -2
- data/lib/chef/provider/package/windows/registry_uninstall_entry.rb +1 -1
- data/lib/chef/provider/package/windows.rb +1 -1
- data/lib/chef/provider/package/zypper/version.rb +60 -0
- data/lib/chef/provider/package/zypper.rb +47 -3
- data/lib/chef/provider/service/windows.rb +1 -1
- data/lib/chef/provider/user/aix.rb +5 -0
- data/lib/chef/provider/user/linux.rb +29 -0
- data/lib/chef/provider/user/mac.rb +1 -1
- data/lib/chef/provider/user.rb +46 -14
- data/lib/chef/provider.rb +1 -1
- data/lib/chef/recipe.rb +1 -1
- data/lib/chef/resource/_rest_resource.rb +389 -0
- data/lib/chef/resource/alternatives.rb +0 -1
- data/lib/chef/resource/apt_package.rb +0 -1
- data/lib/chef/resource/apt_preference.rb +0 -1
- data/lib/chef/resource/apt_repository.rb +0 -1
- data/lib/chef/resource/apt_update.rb +0 -1
- data/lib/chef/resource/archive_file.rb +0 -1
- data/lib/chef/resource/bash.rb +0 -1
- data/lib/chef/resource/batch.rb +0 -1
- data/lib/chef/resource/bff_package.rb +0 -1
- data/lib/chef/resource/breakpoint.rb +0 -1
- data/lib/chef/resource/build_essential.rb +0 -1
- data/lib/chef/resource/cab_package.rb +0 -1
- data/lib/chef/resource/chef_client_config.rb +12 -14
- data/lib/chef/resource/chef_client_cron.rb +1 -2
- data/lib/chef/resource/chef_client_launchd.rb +2 -2
- data/lib/chef/resource/chef_client_scheduled_task.rb +3 -3
- data/lib/chef/resource/chef_client_systemd_timer.rb +0 -1
- data/lib/chef/resource/chef_client_trusted_certificate.rb +0 -1
- data/lib/chef/resource/chef_gem.rb +0 -1
- data/lib/chef/resource/chef_handler.rb +0 -1
- data/lib/chef/resource/chef_sleep.rb +1 -3
- data/lib/chef/resource/chef_vault_secret.rb +0 -1
- data/lib/chef/resource/chocolatey_config.rb +0 -1
- data/lib/chef/resource/chocolatey_feature.rb +0 -1
- data/lib/chef/resource/chocolatey_package.rb +0 -1
- data/lib/chef/resource/chocolatey_source.rb +0 -1
- data/lib/chef/resource/cookbook_file.rb +0 -1
- data/lib/chef/resource/cron/_cron_shared.rb +0 -1
- data/lib/chef/resource/cron/cron.rb +0 -1
- data/lib/chef/resource/cron/cron_d.rb +15 -1
- data/lib/chef/resource/cron_access.rb +0 -1
- data/lib/chef/resource/csh.rb +0 -1
- data/lib/chef/resource/directory.rb +0 -1
- data/lib/chef/resource/dmg_package.rb +0 -1
- data/lib/chef/resource/dnf_package.rb +0 -1
- data/lib/chef/resource/dpkg_package.rb +0 -1
- data/lib/chef/resource/dsc_resource.rb +0 -1
- data/lib/chef/resource/dsc_script.rb +0 -1
- data/lib/chef/resource/execute.rb +0 -1
- data/lib/chef/resource/file.rb +0 -1
- data/lib/chef/resource/freebsd_package.rb +0 -1
- data/lib/chef/resource/gem_package.rb +0 -1
- data/lib/chef/resource/group.rb +25 -2
- data/lib/chef/resource/habitat/habitat_package.rb +0 -1
- data/lib/chef/resource/habitat/habitat_sup.rb +6 -7
- data/lib/chef/resource/habitat/habitat_sup_windows.rb +1 -1
- data/lib/chef/resource/habitat_config.rb +0 -1
- data/lib/chef/resource/habitat_install.rb +0 -1
- data/lib/chef/resource/habitat_service.rb +0 -1
- data/lib/chef/resource/habitat_user_toml.rb +0 -1
- data/lib/chef/resource/homebrew_cask.rb +0 -1
- data/lib/chef/resource/homebrew_package.rb +0 -1
- data/lib/chef/resource/homebrew_tap.rb +0 -1
- data/lib/chef/resource/homebrew_update.rb +0 -2
- data/lib/chef/resource/hostname.rb +0 -1
- data/lib/chef/resource/http_request.rb +0 -1
- data/lib/chef/resource/ifconfig.rb +0 -1
- data/lib/chef/resource/inspec_input.rb +0 -1
- data/lib/chef/resource/inspec_waiver.rb +0 -1
- data/lib/chef/resource/inspec_waiver_file_entry.rb +2 -3
- data/lib/chef/resource/ips_package.rb +0 -1
- data/lib/chef/resource/kernel_module.rb +0 -1
- data/lib/chef/resource/ksh.rb +0 -1
- data/lib/chef/resource/launchd.rb +0 -1
- data/lib/chef/resource/link.rb +0 -1
- data/lib/chef/resource/locale.rb +2 -6
- data/lib/chef/resource/log.rb +0 -1
- data/lib/chef/resource/lwrp_base.rb +0 -4
- data/lib/chef/resource/macos_userdefaults.rb +5 -10
- data/lib/chef/resource/macosx_service.rb +0 -1
- data/lib/chef/resource/macports_package.rb +0 -1
- data/lib/chef/resource/mdadm.rb +0 -1
- data/lib/chef/resource/mount.rb +0 -1
- data/lib/chef/resource/msu_package.rb +0 -1
- data/lib/chef/resource/notify_group.rb +0 -2
- data/lib/chef/resource/ohai.rb +0 -1
- data/lib/chef/resource/ohai_hint.rb +0 -1
- data/lib/chef/resource/openbsd_package.rb +0 -1
- data/lib/chef/resource/openssl_dhparam.rb +0 -2
- data/lib/chef/resource/openssl_ec_private_key.rb +0 -2
- data/lib/chef/resource/openssl_ec_public_key.rb +0 -2
- data/lib/chef/resource/openssl_rsa_private_key.rb +0 -2
- data/lib/chef/resource/openssl_rsa_public_key.rb +0 -2
- data/lib/chef/resource/openssl_x509_certificate.rb +0 -2
- data/lib/chef/resource/openssl_x509_crl.rb +0 -2
- data/lib/chef/resource/openssl_x509_request.rb +0 -2
- data/lib/chef/resource/osx_profile.rb +0 -1
- data/lib/chef/resource/package.rb +0 -1
- data/lib/chef/resource/pacman_package.rb +0 -1
- data/lib/chef/resource/paludis_package.rb +0 -1
- data/lib/chef/resource/perl.rb +0 -1
- data/lib/chef/resource/plist.rb +7 -3
- data/lib/chef/resource/portage_package.rb +0 -1
- data/lib/chef/resource/powershell_package.rb +0 -1
- data/lib/chef/resource/powershell_package_source.rb +0 -1
- data/lib/chef/resource/powershell_script.rb +0 -1
- data/lib/chef/resource/python.rb +0 -1
- data/lib/chef/resource/reboot.rb +0 -1
- data/lib/chef/resource/registry_key.rb +0 -1
- data/lib/chef/resource/remote_directory.rb +0 -1
- data/lib/chef/resource/remote_file.rb +0 -1
- data/lib/chef/resource/rhsm_errata.rb +0 -1
- data/lib/chef/resource/rhsm_errata_level.rb +0 -1
- data/lib/chef/resource/rhsm_register.rb +0 -3
- data/lib/chef/resource/rhsm_repo.rb +0 -1
- data/lib/chef/resource/rhsm_subscription.rb +0 -1
- data/lib/chef/resource/route.rb +0 -1
- data/lib/chef/resource/rpm_package.rb +0 -1
- data/lib/chef/resource/ruby.rb +0 -1
- data/lib/chef/resource/ruby_block.rb +0 -1
- data/lib/chef/resource/scm/_scm.rb +0 -2
- data/lib/chef/resource/scm/git.rb +0 -2
- data/lib/chef/resource/scm/subversion.rb +0 -2
- data/lib/chef/resource/script.rb +0 -1
- data/lib/chef/resource/selinux/common_helpers.rb +47 -0
- data/lib/chef/resource/selinux/selinux_debian.erb +18 -0
- data/lib/chef/resource/selinux/selinux_default.erb +15 -0
- data/lib/chef/resource/selinux_boolean.rb +101 -0
- data/lib/chef/resource/selinux_fcontext.rb +160 -0
- data/lib/chef/resource/selinux_install.rb +107 -0
- data/lib/chef/resource/selinux_module.rb +143 -0
- data/lib/chef/resource/selinux_permissive.rb +64 -0
- data/lib/chef/resource/selinux_port.rb +118 -0
- data/lib/chef/resource/selinux_state.rb +166 -0
- data/lib/chef/resource/service.rb +0 -1
- data/lib/chef/resource/smartos_package.rb +0 -1
- data/lib/chef/resource/snap_package.rb +0 -1
- data/lib/chef/resource/solaris_package.rb +0 -1
- data/lib/chef/resource/ssh_known_hosts_entry.rb +0 -1
- data/lib/chef/resource/sudo.rb +0 -1
- data/lib/chef/resource/support/client.erb +2 -2
- data/lib/chef/resource/swap_file.rb +0 -1
- data/lib/chef/resource/sysctl.rb +1 -2
- data/lib/chef/resource/systemd_unit.rb +0 -1
- data/lib/chef/resource/template.rb +0 -1
- data/lib/chef/resource/timezone.rb +0 -1
- data/lib/chef/resource/user/aix_user.rb +0 -1
- data/lib/chef/resource/user/linux_user.rb +0 -1
- data/lib/chef/resource/user/mac_user.rb +0 -1
- data/lib/chef/resource/user/pw_user.rb +0 -1
- data/lib/chef/resource/user/solaris_user.rb +0 -1
- data/lib/chef/resource/user/windows_user.rb +0 -1
- data/lib/chef/resource/user.rb +10 -1
- data/lib/chef/resource/user_ulimit.rb +0 -1
- data/lib/chef/resource/whyrun_safe_ruby_block.rb +0 -1
- data/lib/chef/resource/windows_ad_join.rb +0 -2
- data/lib/chef/resource/windows_audit_policy.rb +0 -2
- data/lib/chef/resource/windows_auto_run.rb +0 -1
- data/lib/chef/resource/windows_defender.rb +0 -1
- data/lib/chef/resource/windows_defender_exclusion.rb +0 -1
- data/lib/chef/resource/windows_dfs_folder.rb +0 -1
- data/lib/chef/resource/windows_dfs_namespace.rb +0 -1
- data/lib/chef/resource/windows_dfs_server.rb +0 -1
- data/lib/chef/resource/windows_dns_record.rb +0 -1
- data/lib/chef/resource/windows_dns_zone.rb +0 -1
- data/lib/chef/resource/windows_env.rb +0 -1
- data/lib/chef/resource/windows_feature.rb +0 -1
- data/lib/chef/resource/windows_feature_dism.rb +0 -1
- data/lib/chef/resource/windows_feature_powershell.rb +0 -1
- data/lib/chef/resource/windows_firewall_profile.rb +0 -2
- data/lib/chef/resource/windows_firewall_rule.rb +0 -1
- data/lib/chef/resource/windows_font.rb +2 -3
- data/lib/chef/resource/windows_package.rb +0 -1
- data/lib/chef/resource/windows_pagefile.rb +0 -2
- data/lib/chef/resource/windows_path.rb +0 -1
- data/lib/chef/resource/windows_printer.rb +0 -1
- data/lib/chef/resource/windows_printer_port.rb +0 -1
- data/lib/chef/resource/windows_script.rb +0 -2
- data/lib/chef/resource/windows_security_policy.rb +0 -1
- data/lib/chef/resource/windows_service.rb +0 -1
- data/lib/chef/resource/windows_share.rb +0 -1
- data/lib/chef/resource/windows_shortcut.rb +1 -2
- data/lib/chef/resource/windows_task.rb +0 -1
- data/lib/chef/resource/windows_uac.rb +0 -1
- data/lib/chef/resource/windows_update_settings.rb +0 -1
- data/lib/chef/resource/windows_user_privilege.rb +0 -1
- data/lib/chef/resource/windows_workgroup.rb +0 -1
- data/lib/chef/resource/yum_package.rb +0 -1
- data/lib/chef/resource/yum_repository.rb +0 -1
- data/lib/chef/resource/zypper_package.rb +0 -1
- data/lib/chef/resource/zypper_repository.rb +0 -1
- data/lib/chef/resource.rb +12 -5
- data/lib/chef/resources.rb +7 -0
- data/lib/chef/run_context.rb +3 -3
- data/lib/chef/secret_fetcher/azure_key_vault.rb +3 -3
- data/lib/chef/version.rb +1 -1
- data/lib/chef/win32/handle.rb +6 -7
- data/lib/chef/win32/registry.rb +7 -3
- data/spec/data/rubygems.org/sexp_processor-info +2 -1
- data/spec/data/trusted_certs/example.crt +20 -29
- data/spec/data/trusted_certs/example_no_cn.crt +34 -30
- data/spec/data/trusted_certs/opscode.pem +54 -33
- data/spec/functional/resource/chocolatey_package_spec.rb +20 -32
- data/spec/functional/resource/dsc_script_spec.rb +1 -1
- data/spec/functional/resource/group_spec.rb +10 -6
- data/spec/functional/resource/link_spec.rb +8 -8
- data/spec/functional/resource/macos_userdefaults_spec.rb +4 -4
- data/spec/functional/resource/plist_spec.rb +25 -0
- data/spec/functional/resource/user/linux_user_spec.rb +127 -0
- data/spec/functional/resource/windows_certificate_spec.rb +1 -26
- data/spec/functional/resource/windows_font_spec.rb +12 -9
- data/spec/functional/resource/yum_package_spec.rb +1 -1
- data/spec/functional/resource/zypper_package_spec.rb +12 -0
- data/spec/functional/shell_spec.rb +1 -2
- data/spec/functional/version_spec.rb +1 -1
- data/spec/integration/client/client_spec.rb +82 -3
- data/spec/integration/client/exit_code_spec.rb +1 -1
- data/spec/integration/client/ipv6_spec.rb +1 -1
- data/spec/integration/compliance/compliance_spec.rb +1 -1
- data/spec/integration/recipes/accumulator_spec.rb +1 -1
- data/spec/integration/recipes/lwrp_inline_resources_spec.rb +1 -1
- data/spec/integration/recipes/lwrp_spec.rb +1 -1
- data/spec/integration/recipes/notifies_spec.rb +1 -1
- data/spec/integration/recipes/notifying_block_spec.rb +1 -1
- data/spec/integration/recipes/remote_directory.rb +1 -1
- data/spec/integration/recipes/unified_mode_spec.rb +1 -1
- data/spec/integration/recipes/use_partial_spec.rb +2 -1
- data/spec/integration/solo/solo_spec.rb +2 -2
- data/spec/spec_helper.rb +1 -0
- data/spec/support/platform_helpers.rb +4 -0
- data/spec/support/ruby_installer.rb +1 -1
- data/spec/support/shared/functional/windows_script.rb +2 -2
- data/spec/unit/application/client_spec.rb +0 -10
- data/spec/unit/client_spec.rb +57 -8
- data/spec/unit/compliance/reporter/chef_server_automate_spec.rb +1 -1
- data/spec/unit/cookbook/syntax_check_spec.rb +3 -0
- data/spec/unit/http/authenticator_spec.rb +68 -0
- data/spec/unit/mixin/checksum_spec.rb +0 -28
- data/spec/unit/mixin/powershell_exec_spec.rb +5 -5
- data/spec/unit/platform/query_helpers_spec.rb +2 -17
- data/spec/unit/provider/http_request_spec.rb +60 -72
- data/spec/unit/provider/mount/linux_spec.rb +10 -0
- data/spec/unit/provider/package/chocolatey_spec.rb +3 -19
- data/spec/unit/provider/package/rubygems_spec.rb +1 -1
- data/spec/unit/provider/package/zypper_spec.rb +32 -0
- data/spec/unit/provider/user/linux_spec.rb +51 -11
- data/spec/unit/provider/user_spec.rb +24 -6
- data/spec/unit/resource/archive_file_spec.rb +1 -1
- data/spec/unit/resource/chef_client_cron_spec.rb +5 -0
- data/spec/unit/resource/chef_client_launchd_spec.rb +5 -0
- data/spec/unit/resource/chef_client_scheduled_task_spec.rb +5 -0
- data/spec/unit/resource/chef_client_systemd_timer_spec.rb +1 -1
- data/spec/unit/resource/cron_d_spec.rb +37 -1
- data/spec/unit/resource/macos_user_defaults_spec.rb +4 -4
- data/spec/unit/resource/rest_resource_spec.rb +381 -0
- data/spec/unit/resource/selinux_boolean_spec.rb +92 -0
- data/spec/unit/resource/selinux_fcontext_spec.rb +65 -0
- data/spec/unit/resource/selinux_install_spec.rb +60 -0
- data/spec/unit/resource/selinux_module_spec.rb +55 -0
- data/spec/unit/resource/selinux_permissive_spec.rb +39 -0
- data/spec/unit/resource/selinux_port_spec.rb +42 -0
- data/spec/unit/resource/selinux_state_spec.rb +46 -0
- data/spec/unit/resource/sysctl_spec.rb +2 -2
- data/spec/unit/resource/user/linux_user_spec.rb +42 -0
- data/spec/unit/resource_spec.rb +0 -1
- data/spec/unit/util/dsc/local_configuration_manager_spec.rb +1 -1
- data/tasks/rspec.rb +1 -1
- metadata +102 -30
- /data/spec/functional/assets/chocolatey_feed/{test-A.1.0.0.nupkg → test-A.1.0.nupkg} +0 -0
- /data/spec/functional/assets/chocolatey_feed/{test-A.1.5.0.nupkg → test-A.1.5.nupkg} +0 -0
- /data/spec/functional/assets/chocolatey_feed/{test-A.2.0.0.nupkg → test-A.2.0.nupkg} +0 -0
- /data/spec/functional/assets/chocolatey_feed/{test-B.1.0.0.nupkg → test-B.1.0.nupkg} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{01a3b-filelists.sqlite.bz2 → 4632d67cb92636e7575d911c24f0e04d3505a944e97c483abe0c3e73a7c62d33-filelists.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{6bf96-other.xml.gz → 74599b793e54d877323837d2d81a1c3c594c44e4335f9528234bb490f7b9b439-other.xml.gz} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{5dc1e-primary.sqlite.bz2 → a845d418f919d2115ab95a56b2c76f6825ad0d0bede49181a55c04f58995d057-primary.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{7c365-other.sqlite.bz2 → af9b7cf9ef23bd7b43068d74a460f3b5d06753d638e58e4a0c9edc35bfb9cdc4-other.sqlite.bz2} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{401dc-filelists.xml.gz → bdb4f5f1492a3b9532f22c43110a81500dd744f23da0aec5c33b2a41317c737d-filelists.xml.gz} +0 -0
- /data/spec/functional/assets/yumrepo/repodata/{dabe2-primary.xml.gz → c10d1d34ce99e02f12ec96ef68360543ab1bb7c3cb81a4a2bf78df7d8597e9df-primary.xml.gz} +0 -0
@@ -0,0 +1,64 @@
|
|
1
|
+
#
|
2
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
3
|
+
# you may not use this file except in compliance with the License.
|
4
|
+
# You may obtain a copy of the License at
|
5
|
+
#
|
6
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
7
|
+
#
|
8
|
+
# Unless required by applicable law or agreed to in writing, software
|
9
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
10
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
11
|
+
# See the License for the specific language governing permissions and
|
12
|
+
# limitations under the License.
|
13
|
+
|
14
|
+
require_relative "../resource"
|
15
|
+
|
16
|
+
class Chef
|
17
|
+
class Resource
|
18
|
+
class SelinuxPermissive < Chef::Resource
|
19
|
+
unified_mode true
|
20
|
+
|
21
|
+
provides :selinux_permissive
|
22
|
+
|
23
|
+
description "Use **selinux_permissive** resource to allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely."
|
24
|
+
introduced "18.0"
|
25
|
+
examples <<~DOC
|
26
|
+
**Disable enforcement on Apache**:
|
27
|
+
|
28
|
+
```ruby
|
29
|
+
selinux_permissive 'httpd_t' do
|
30
|
+
notifies :restart, 'service[httpd]'
|
31
|
+
end
|
32
|
+
```
|
33
|
+
DOC
|
34
|
+
|
35
|
+
property :context, String,
|
36
|
+
name_property: true,
|
37
|
+
description: "The SELinux context to permit."
|
38
|
+
|
39
|
+
action_class do
|
40
|
+
def current_permissives
|
41
|
+
shell_out!("semanage permissive -ln").stdout.split("\n")
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
# Create if doesn't exist, do not touch if permissive is already registered (even under different type)
|
46
|
+
action :add, description: "Add a permissive, unless already set." do
|
47
|
+
unless current_permissives.include? new_resource.context
|
48
|
+
converge_by "adding permissive context #{new_resource.context}" do
|
49
|
+
shell_out!("semanage permissive -a '#{new_resource.context}'")
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
# Delete if exists
|
55
|
+
action :delete, description: "Remove a permissive, if set." do
|
56
|
+
if current_permissives.include? new_resource.context
|
57
|
+
converge_by "deleting permissive context #{new_resource.context}" do
|
58
|
+
shell_out!("semanage permissive -d '#{new_resource.context}'")
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
@@ -0,0 +1,118 @@
|
|
1
|
+
#
|
2
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
3
|
+
# you may not use this file except in compliance with the License.
|
4
|
+
# You may obtain a copy of the License at
|
5
|
+
#
|
6
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
7
|
+
#
|
8
|
+
# Unless required by applicable law or agreed to in writing, software
|
9
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
10
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
11
|
+
# See the License for the specific language governing permissions and
|
12
|
+
# limitations under the License.
|
13
|
+
|
14
|
+
require_relative "../resource"
|
15
|
+
require_relative "selinux/common_helpers"
|
16
|
+
|
17
|
+
class Chef
|
18
|
+
class Resource
|
19
|
+
class SelinuxPort < Chef::Resource
|
20
|
+
unified_mode true
|
21
|
+
|
22
|
+
provides :selinux_port
|
23
|
+
|
24
|
+
description "Use **selinux_port** resource to allows assigning a network port to a certain SELinux context, e.g. for running a webserver on a non-standard port."
|
25
|
+
introduced "18.0"
|
26
|
+
examples <<~DOC
|
27
|
+
**Allow nginx/apache to bind to port 5678 by giving it the http_port_t context**:
|
28
|
+
|
29
|
+
```ruby
|
30
|
+
selinux_port '5678' do
|
31
|
+
protocol 'tcp'
|
32
|
+
secontext 'http_port_t'
|
33
|
+
end
|
34
|
+
```
|
35
|
+
DOC
|
36
|
+
|
37
|
+
property :port, [Integer, String],
|
38
|
+
name_property: true,
|
39
|
+
regex: /^\d+$/,
|
40
|
+
description: "Port to modify."
|
41
|
+
|
42
|
+
property :protocol, String,
|
43
|
+
equal_to: %w{tcp udp},
|
44
|
+
required: %i{manage add modify},
|
45
|
+
description: "Protocol to modify."
|
46
|
+
|
47
|
+
property :secontext, String,
|
48
|
+
required: %i{manage add modify},
|
49
|
+
description: "SELinux context to assign to the port."
|
50
|
+
|
51
|
+
action_class do
|
52
|
+
include Chef::SELinux::CommonHelpers
|
53
|
+
def current_port_context
|
54
|
+
# use awk to see if the given port is within a reported port range
|
55
|
+
shell_out!(
|
56
|
+
<<~CMD
|
57
|
+
seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
|
58
|
+
awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
|
59
|
+
CMD
|
60
|
+
).stdout.split
|
61
|
+
end
|
62
|
+
end
|
63
|
+
|
64
|
+
action :manage, description: "Assign the port to the right context regardless of previous state." do
|
65
|
+
run_action(:add)
|
66
|
+
run_action(:modify)
|
67
|
+
end
|
68
|
+
|
69
|
+
action :addormodify, description: "Assigns the port context if not set. Updates the port context if previously set." do
|
70
|
+
Chef::Log.warn("The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.")
|
71
|
+
run_action(:manage)
|
72
|
+
end
|
73
|
+
|
74
|
+
# Create if doesn't exist, do not touch if port is already registered (even under different type)
|
75
|
+
action :add, description: "Assign the port context if not set." do
|
76
|
+
if selinux_disabled?
|
77
|
+
Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
|
78
|
+
return
|
79
|
+
end
|
80
|
+
|
81
|
+
if current_port_context.empty?
|
82
|
+
converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
|
83
|
+
shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
87
|
+
|
88
|
+
# Only modify port if it exists & doesn't have the correct context already
|
89
|
+
action :modify, description: "Update the port context if previously set." do
|
90
|
+
if selinux_disabled?
|
91
|
+
Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
|
92
|
+
return
|
93
|
+
end
|
94
|
+
|
95
|
+
if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
|
96
|
+
converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
|
97
|
+
shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
|
98
|
+
end
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
# Delete if exists
|
103
|
+
action :delete, description: "Removes the port context if set." do
|
104
|
+
if selinux_disabled?
|
105
|
+
Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
|
106
|
+
return
|
107
|
+
end
|
108
|
+
|
109
|
+
unless current_port_context.empty?
|
110
|
+
converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
|
111
|
+
shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|
@@ -0,0 +1,166 @@
|
|
1
|
+
#
|
2
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
3
|
+
# you may not use this file except in compliance with the License.
|
4
|
+
# You may obtain a copy of the License at
|
5
|
+
#
|
6
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
7
|
+
#
|
8
|
+
# Unless required by applicable law or agreed to in writing, software
|
9
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
10
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
11
|
+
# See the License for the specific language governing permissions and
|
12
|
+
# limitations under the License.
|
13
|
+
|
14
|
+
require_relative "../resource"
|
15
|
+
require_relative "selinux/common_helpers"
|
16
|
+
|
17
|
+
class Chef
|
18
|
+
class Resource
|
19
|
+
class SelinuxState < Chef::Resource
|
20
|
+
unified_mode true
|
21
|
+
|
22
|
+
provides :selinux_state
|
23
|
+
|
24
|
+
description "Use **selinux_state** resource to manages the SELinux state on the system. It does this by using the `setenforce` command and rendering the `/etc/selinux/config` file from a template."
|
25
|
+
introduced "18.0"
|
26
|
+
examples <<~DOC
|
27
|
+
**Set SELinux state to permissive**:
|
28
|
+
|
29
|
+
```ruby
|
30
|
+
selinux_state 'permissive' do
|
31
|
+
action :permissive
|
32
|
+
end
|
33
|
+
```
|
34
|
+
|
35
|
+
**Set SELinux state to enforcing**:
|
36
|
+
|
37
|
+
```ruby
|
38
|
+
selinux_state 'enforcing' do
|
39
|
+
action :enforcing
|
40
|
+
end
|
41
|
+
```
|
42
|
+
|
43
|
+
**Set SELinux state to disabled**:
|
44
|
+
```ruby
|
45
|
+
selinux_state 'disabled' do
|
46
|
+
action :disabled
|
47
|
+
end
|
48
|
+
```
|
49
|
+
DOC
|
50
|
+
|
51
|
+
default_action :nothing
|
52
|
+
|
53
|
+
property :config_file, String,
|
54
|
+
default: "/etc/selinux/config",
|
55
|
+
description: "Path to SELinux config file on disk."
|
56
|
+
|
57
|
+
property :persistent, [true, false],
|
58
|
+
default: true,
|
59
|
+
description: "Persist status update to the selinux configuration file."
|
60
|
+
|
61
|
+
property :policy, String,
|
62
|
+
default: lazy { default_policy_platform },
|
63
|
+
equal_to: %w{default minimum mls src strict targeted},
|
64
|
+
description: "SELinux policy type."
|
65
|
+
|
66
|
+
property :automatic_reboot, [true, false, Symbol],
|
67
|
+
default: false,
|
68
|
+
description: "Perform an automatic node reboot if required for state change."
|
69
|
+
|
70
|
+
deprecated_property_alias "temporary", "persistent", "The temporary property was renamed persistent in the 4.0 release of this cookbook. Please update your cookbooks to use the new property name."
|
71
|
+
|
72
|
+
action_class do
|
73
|
+
include Chef::SELinux::CommonHelpers
|
74
|
+
def render_selinux_template(action)
|
75
|
+
Chef::Log.warn("It is advised to set the configuration first to permissive to relabel the filesystem prior to enforcing.") if selinux_disabled? && action == :enforcing
|
76
|
+
|
77
|
+
unless new_resource.automatic_reboot
|
78
|
+
Chef::Log.warn("Changes from disabled require a reboot.") if selinux_disabled? && %i{enforcing permissive}.include?(action)
|
79
|
+
Chef::Log.warn("Disabling selinux requires a reboot.") if (selinux_enforcing? || selinux_permissive?) && action == :disabled
|
80
|
+
end
|
81
|
+
|
82
|
+
template "#{action} selinux config" do
|
83
|
+
path new_resource.config_file
|
84
|
+
source debian? ? ::File.expand_path("selinux/selinux_debian.erb", __dir__) : ::File.expand_path("selinux/selinux_default.erb", __dir__)
|
85
|
+
local true
|
86
|
+
variables(
|
87
|
+
selinux: action.to_s,
|
88
|
+
selinuxtype: new_resource.policy
|
89
|
+
)
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
def node_selinux_restart
|
94
|
+
unless new_resource.automatic_reboot
|
95
|
+
Chef::Log.warn("SELinux state change to #{action} requires a manual reboot as SELinux is currently #{selinux_state} and automatic reboots are disabled.")
|
96
|
+
return
|
97
|
+
end
|
98
|
+
|
99
|
+
outer_action = action
|
100
|
+
reboot "selinux_state_change" do
|
101
|
+
delay_mins 1
|
102
|
+
reason "SELinux state change to #{outer_action} from #{selinux_state}"
|
103
|
+
|
104
|
+
action new_resource.automatic_reboot.is_a?(Symbol) ? new_resource.automatic_reboot : :reboot_now
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
108
|
+
|
109
|
+
action :enforcing, description: "Set the SELinux state to enforcing." do
|
110
|
+
unless selinux_disabled? || selinux_enforcing?
|
111
|
+
execute "selinux-setenforce-enforcing" do
|
112
|
+
command "/usr/sbin/setenforce 1"
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
if selinux_activate_required?
|
117
|
+
execute "debian-selinux-activate" do
|
118
|
+
command "/usr/sbin/selinux-activate"
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
122
|
+
render_selinux_template(action) if new_resource.persistent
|
123
|
+
node_selinux_restart if state_change_reboot_required?
|
124
|
+
end
|
125
|
+
|
126
|
+
action :permissive, description: "Set the SELinux state to permissive." do
|
127
|
+
unless selinux_disabled? || selinux_permissive?
|
128
|
+
execute "selinux-setenforce-permissive" do
|
129
|
+
command "/usr/sbin/setenforce 0"
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
133
|
+
if selinux_activate_required?
|
134
|
+
execute "debian-selinux-activate" do
|
135
|
+
command "/usr/sbin/selinux-activate"
|
136
|
+
end
|
137
|
+
end
|
138
|
+
|
139
|
+
render_selinux_template(action) if new_resource.persistent
|
140
|
+
node_selinux_restart if state_change_reboot_required?
|
141
|
+
end
|
142
|
+
|
143
|
+
action :disabled, description: "Set the SELinux state to disabled. **NOTE**: Switching to or from disabled requires a reboot!" do
|
144
|
+
raise "A non-persistent change to the disabled SELinux status is not possible." unless new_resource.persistent
|
145
|
+
|
146
|
+
render_selinux_template(action)
|
147
|
+
node_selinux_restart if state_change_reboot_required?
|
148
|
+
end
|
149
|
+
|
150
|
+
private
|
151
|
+
|
152
|
+
#
|
153
|
+
# Decide default policy platform based upon platform_family
|
154
|
+
#
|
155
|
+
# @return [String] Policy platform name
|
156
|
+
def default_policy_platform
|
157
|
+
case node["platform_family"]
|
158
|
+
when "rhel", "fedora", "amazon"
|
159
|
+
"targeted"
|
160
|
+
when "debian"
|
161
|
+
"default"
|
162
|
+
end
|
163
|
+
end
|
164
|
+
end
|
165
|
+
end
|
166
|
+
end
|
data/lib/chef/resource/sudo.rb
CHANGED
@@ -38,10 +38,10 @@ log_location <%= @log_location.inspect %>
|
|
38
38
|
<% end -%>
|
39
39
|
<%# These data_collector options are special as they have a '.' -%>
|
40
40
|
<% unless @data_collector_server_url.nil? || @data_collector_server_url.empty? %>
|
41
|
-
data_collector.server_url <%= @data_collector_server_url %>
|
41
|
+
data_collector.server_url <%= @data_collector_server_url.inspect %>
|
42
42
|
<% end %>
|
43
43
|
<% unless @data_collector_token.nil? || @data_collector_token.empty? %>
|
44
|
-
data_collector.token <%= @data_collector_token %>
|
44
|
+
data_collector.token <%= @data_collector_token.inspect %>
|
45
45
|
<% end %>
|
46
46
|
<%# The code below is not DRY on purpose to improve readability -%>
|
47
47
|
<% unless @start_handlers.empty? -%>
|
data/lib/chef/resource/sysctl.rb
CHANGED
@@ -20,7 +20,6 @@ require_relative "../resource"
|
|
20
20
|
class Chef
|
21
21
|
class Resource
|
22
22
|
class Sysctl < Chef::Resource
|
23
|
-
unified_mode true
|
24
23
|
|
25
24
|
provides(:sysctl) { true }
|
26
25
|
provides(:sysctl_param) { true }
|
@@ -188,7 +187,7 @@ class Chef
|
|
188
187
|
|
189
188
|
sysctl_lines << "#{new_resource.key} = #{new_resource.value}"
|
190
189
|
|
191
|
-
sysctl_lines.join("\n")
|
190
|
+
sysctl_lines.join("\n") + "\n"
|
192
191
|
end
|
193
192
|
end
|
194
193
|
|
@@ -34,7 +34,6 @@ class Chef
|
|
34
34
|
# chef-client. This resource includes actions and properties from the file resource. Template files managed by the
|
35
35
|
# template resource follow the same file specificity rules as the remote_file and file resources.
|
36
36
|
class Template < Chef::Resource::File
|
37
|
-
unified_mode true
|
38
37
|
|
39
38
|
provides :template
|
40
39
|
|
@@ -58,7 +58,6 @@ class Chef
|
|
58
58
|
# the 'password' property corresponds to a plaintext password and will
|
59
59
|
# attempt to use it in place of secure_token_password if it not set.
|
60
60
|
class MacUser < Chef::Resource::User
|
61
|
-
unified_mode true
|
62
61
|
|
63
62
|
provides :mac_user
|
64
63
|
provides :user, platform: "mac_os_x"
|
data/lib/chef/resource/user.rb
CHANGED
@@ -21,7 +21,6 @@ require_relative "../resource"
|
|
21
21
|
class Chef
|
22
22
|
class Resource
|
23
23
|
class User < Chef::Resource
|
24
|
-
unified_mode true
|
25
24
|
|
26
25
|
description "Use the **user** resource to add users, update existing users, remove users, and to lock/unlock user passwords."
|
27
26
|
|
@@ -73,6 +72,16 @@ class Chef
|
|
73
72
|
description: "The numeric group identifier."
|
74
73
|
|
75
74
|
alias_method :group, :gid
|
75
|
+
|
76
|
+
property :expire_date, [ String, NilClass ],
|
77
|
+
description: "(Linux) The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.",
|
78
|
+
introduced: "18.0",
|
79
|
+
desired_state: false
|
80
|
+
|
81
|
+
property :inactive, [ String, Integer, NilClass ],
|
82
|
+
description: "(Linux) The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature.",
|
83
|
+
introduced: "18.0",
|
84
|
+
desired_state: false
|
76
85
|
end
|
77
86
|
end
|
78
87
|
end
|
@@ -19,7 +19,6 @@ require_relative "../resource"
|
|
19
19
|
class Chef
|
20
20
|
class Resource
|
21
21
|
class WindowsDefender < Chef::Resource
|
22
|
-
unified_mode true
|
23
22
|
provides :windows_defender
|
24
23
|
|
25
24
|
description "Use the **windows_defender** resource to enable or disable the Microsoft Windows Defender service."
|