vagrant-clone 0.0.1 → 0.0.3

data/cookbooks/selinux_policy/CHANGELOG.md

@@ -0,0 +1,155 @@
+# selinuxpolicy CHANGELOG
+
+This file is used to list changes made in each version of the selinuxpolicy cookbook.
+
+## 2.0.1 (2017-04-21)
+
+- Perform relabel (restorecon) using find to support regexes
+
+## 2.0.0 (2017-02-23)
+
+- This cookbook has been moved to the Sous Chefs org. See sous-chefs.org for more information
+- Require Chef 12.1 or later
+- Use compat_resource instead of requiring yum
+- Don't install yum::dnf_yum_compat on Fedora since Chef has DNF support now
+- Don't define attributes in the metadata as these aren't used
+- Remove the Vagrantfile
+- Add chef_version requirements to the metadata
+- Test with ChefDK / Rake in Travis instead of gems
+- Resolve Foodcritic, Cookstyle, and Chefspec warnings
+
+## 1.1.1
+
+- [7307850] (Adam Ward) Silence fcontext guard output
+- [ad71437] (nitz) Restorecon is now done via shell_out
+- [fa30813] (James Le Cuirot) Change yum dependency to ~> 4.0
+- [cd9a8da] (nitz) Removed selinux enforcing from kitchen, unified runlists
+
+## 1.1.0
+
+- [daften] Added `file_type` for fcontext
+
+## 1.0.1
+
+- [backslasher] - Foodcritic and rubocop improvements
+
+## 1.0.0
+
+- [equick] - Validating ports better
+- [backslasher] - FContext relabling for flies is now immediate. (Possibly breaking)
+- [backslasher] - testing made slightly more elegant
+
+## 0.9.6
+
+- [jhmartin] - Updated README
+- [backslasher] - Major revision of testing
+
+## 0.9.5
+
+- [backslasher] - Modified yum dependency
+
+## 0.9.4
+
+- [mhorbul] - Fixed state detection in boolean resource
+
+## 0.9.3
+
+- [backlsasher] - Fixed testing & kitchen
+- [jbartko] - Added Fedora support
+
+## 0.9.2
+
+- [backslasher] - Ignoring nonexisting files in restorecon
+
+## 0.9.1
+
+- [backslasher] - Fixed issue with module being partially executed on machines with SELinux disabled
+
+## 0.9.0
+
+- [backslasher] - module overhaul: code refactoring, supporting new input, testing, new actions
+- [backslasher] - fcontext overhaul: code refactoring, testing, new action
+
+**Note**: I don't think I have any breaking changes here. If there are, I apologise and request that you create an issue with a test recipe that fails on the problem (so I can reproduce)
+
+## 0.8.1
+
+- [backslasher] - Added Travis CI harness
+- [backslasher] - Fixed typo in README
+
+## 0.8.0
+
+- [backslasher] - Test overhaul. Now testing is somewhat reliable when using ports
+- [backslasher] - Port search is a function
+- [backslasher] - Port detection now supports ranges. No possibility to add ranges (yet)
+
+## 0.7.2
+
+- [shortdudey123] - ChefSpec matchers, helps testing
+
+## 0.7.1
+
+- [backslasher] - Forgot contributor
+
+## 0.7.0
+
+- [chewi] - Fixed prereq packages
+- [backslasher] - Modified misleading comment
+- [chewi] - Move helpers into a cookbook-specific module
+- [chewi] - Prevent use_selinux from blowing up on systems without getenforce
+
+## 0.6.5
+
+- [backslasher] - Ubuntu installation warning
+
+## 0.6.4
+
+- [sauraus] - CentOS 7 support
+- [sauraus] - Typos
+
+## 0.6.3
+
+- [backslasher] - Readme updates
+- [kevans] - Added kitchen testing
+
+## 0.6.2
+
+- [kevans] - Support Chef 11.8.0 running shellout!()
+- [backslasher] - Simplified support info
+- [backslasher] - ASCIIed files
+
+## 0.6.1
+
+- [backslasher] - Migrated to `only_if` instead of if
+- [backslasher] - README typos
+
+## 0.6.0
+
+- [joerg] - Added fcontext resource for managing file contexts under SELinux
+
+## 0.5.0
+
+- [backslasher] - Added RHEL5/derivatives support. Thanks to @knightorc.
+
+  ```
+              Cookbook will break on RHEL7\. If anyone expiriences this, please check required packages and create an issue/PR
+  ```
+
+- [backslasher] - Machines without SELinux are (opionally) supported. Thanks to @knightroc.
+
+## 0.4.0
+
+- [backlasher] - Fixed foodcritic errors
+
+## 0.3.0
+
+- [backlasher] - Fixed `install.rb` syntax. Now it actually works
+
+## 0.2.0
+
+- [backlasher] - Added module resource. Currently supports deployment and removal (because that's what I need)
+- [backlasher] - Added permissive resource
+
+## 0.1.0
+
+- [backlasher] - Initial release of selinuxpolicy

data/cookbooks/selinux_policy/LICENSE

@@ -0,0 +1,13 @@
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

data/cookbooks/selinux_policy/README.md

@@ -0,0 +1,217 @@
+# SELinux Policy Cookbook
+
+This cookbook can be used to manage SELinux policies and components (rather than just enable / disable enforcing). I made it because I needed some SELinux settings done, and the `execute`s started to look annoying.
+
+## Requirements
+
+Needs an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute `allow_disabled`), which will generate warnings and do nothing (but won't break the run). Also requires SELinux's management tools, namely `semanage`, `setsebool` and `getsebool`. Tools are installed by the `selinux_policy::install` recipe (for RHEL/Debian and the like).
+
+### Chef
+
+- Chef 12.1+
+
+### Platforms
+
+- rhel
+- fedora
+
+## Attributes
+
+These attributes affect the way all of the LWRPs are behaving.
+
+- `node['selinux_policy']['allow_disabled']` - Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail. Defaults to `true`, set to `false` if you don't have any machines with disabled SELinux.
+
+## Usage
+
+- `selinux_policy::install` - Installs SELinux policy management tools
+
+This cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook. Remember to add `depends 'selinux_policy'` to your `metadata.rb`.
+
+### boolean
+
+Represents an SELinux [boolean](http://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans). You can either `set` it, meaning it will be changed without persistence (it will revert to default in the next reboot), or `setpersist` it (default action), so it'll keep it value after rebooting. Using `setpersist` requires an active policy (so that the new value can be saved somewhere).
+
+Attributes:
+
+- `name`: boolean's name. Defaults to resource name.
+- `value`: Its new value (`true`/`false`).
+- `force`: Use `setsebool` even if the current value agrees with the requested one.
+
+Example usage:
+
+```ruby
+include_recipe 'selinux_policy::install'
+
+selinux_policy_boolean 'httpd_can_network_connect' do
+    value true
+    # Make sure nginx is started if this value was modified
+    notifies :start,'service[nginx]', :immediate
+end
+```
+
+**Note**: Due to ruby interperting `0` as `true`, using `value 0` is unwise.
+
+### port
+
+Allows assigning a network port to a certain SELinux context. As explained [here](http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388), it can be useful for running Apache on a non-standard port.
+
+Actions:
+
+- `addormodify` (default): Assigns the port to the right context, whether it's already listed another context or not at all.
+- `add`: Assigns the port to the right context it's if not listed (only uses `-a`).
+- `modify`: Changes the port's context if it's already listed (only uses `-m`).
+- `delete`: Removes the port's context if it's listed (uses `-d`).
+
+Attributes:
+
+- `port`: The port in question, defaults to resource name.
+- `protocol`: `tcp`/`udp`.
+- `secontext`: The SELinux context to assign the port to. Unnecessary when using `delete`.
+
+Example usage:
+
+```ruby
+include_recipe 'selinux_policy::install'
+
+# Allow nginx to bind to port 5678, by giving it the http_port_t context
+selinux_policy_port '5678' do
+    protocol 'tcp'
+    secontext 'http_port_t'
+end
+```
+
+### module
+
+Manages SEModules
+
+Actions:
+
+- `fetch`: Prepares the module's files for compilation. Allow `remote_directory`-like behavior
+- `compile`: Translates a module source directory into a `NAME.pp` file. Uses `make` logic for idempotence.
+- `install`: Adds a compiled module (`pp`) to the current policy. Only installs if the module was modified this run, `force` is enabled or it's missing from the current policy. **Note:** I wish I could compare the existing module to the one generated, but the `extract` capability was only added in [Aug 15](https://github.com/SELinuxProject/selinux/commit/65c6325271b54d3de9c17352a57d469dfbd12729). I'll be happy to see a better idea.
+- `deploy` (default): Runs `fetch`, `compile`, `install` in that order.
+- `remove`: Removes a module.
+
+Attributes:
+
+- `name`: The module name. Defaults to resource name.
+- `directory`: Directory where module is stored. Defaults to a directory inside the Chef cache.
+- `content`: The module content, can be extracted from `audit2allow -m NAME`. This can be used to create simple modules without using external files.
+- `directory_source`: Copies files cookbook to the module directory (uses `remote_directory`). Allows keeping all of the module's source files in the cookbook. **Note:** You can pre-create the module directory and populate it in any other way you'd choose.
+- `cookbook`: Modifies the source cookbook for the `remote_directory`.
+- `force`: Installs the module even if it seems fine. Ruins idempotence but should help solve some weird cases.
+
+Example usage:
+
+```ruby
+include_recipe 'selinux_policy::install'
+
+# Allow openvpn to write/delete in '/etc/openvpn'
+selinux_policy_module 'openvpn-googleauthenticator' do
+  content <<-eos
+    module dy-openvpn-googleauthenticator 1.0;
+
+    require {
+        type openvpn_t;
+        type openvpn_etc_t;
+        class file { write unlink };
+    }
+
+
+    #============= openvpn_t ==============
+    allow openvpn_t openvpn_etc_t:file { write unlink };
+  eos
+  action :deploy
+end
+```
+
+### fcontext
+
+Allows managing the SELinux context of files. This can be used to grant SELinux-protected daemons access to additional / moved files.
+
+Actions:
+
+- `addormodify` (default): Assigns the file regexp to the right context, whether it's already listed another context or not at all.
+- `add`: Assigns the file regexp to the right context it's if not listed (only uses -a).
+- `modify`: Changes the file regexp context if it's already listed (only uses -m).
+- `delete`: Removes the file regexp context if it's listed (uses -d).
+
+Attributes:
+
+- `file_spec`: This is the file regexp in question, defaults to resource name.
+- `secontext`: The SELinux context to assign the file regexp to. Not required for `:delete`
+- `file_type`: Restrict the fcontext to specific file types. See the table below for an overview. See also <https://en.wikipedia.org/wiki/Unix_file_types> for more info
+- **a** All files
+- **f** Regular files
+- **d** Directory
+- **c** Character device
+- **b** Block device
+- **s** Socket
+- **l** Symbolic link
+- **p** Namedpipe
+
+Example usage (see mysql cookbook for example daemons ):
+
+```ruby
+include_recipe 'selinux_policy::install'
+
+# Allow http servers (nginx/apache) to modify moodle files
+selinux_policy_fcontext '/var/www/moodle(/.*)?' do
+  secontext 'httpd_sys_rw_content_t'
+end
+
+# Allow a custom mysql daemon to access its files.
+{'mysqld_etc_t' => "/etc/mysql-#{service_name}(/.*)?",
+'mysqld_etc_t' => "/etc/mysql-#{service_name}/my\.cnf",
+'mysqld_log_t' => "/var/log/mysql-#{service_name}(/.*)?",
+'mysqld_db_t' => "/opt/mysql_data_#{service_name}(/.*)?",
+'mysqld_var_run_t' => "/var/run/mysql-#{service_name}(/.*)?",
+'mysqld_initrc_exec_t' => "/etc/rc\.d/init\.d/mysql-#{service_name}"}.each do |sc, f|
+  selinux_policy_fcontext f do
+    secontext sc
+  end
+end
+
+# Adapt a symbolic link
+selinux_policy_fcontext '/var/www/symlink_to_webroot' do
+  secontext 'httpd_sys_rw_content_t'
+  filetype 'l'
+end
+```
+
+### permissive
+
+Allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.
+
+Actions:
+
+- `add`: Adds a permissive, unless it's already added
+- `delete`: Deletes a permissive if it's listed
+
+Example usage:
+
+```ruby
+include_recipe 'selinux_policy::install'
+
+# Disable enforcement on Nginx
+# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
+
+selinux_policy_permissive 'nginx' do
+  notifies :restart, 'service[nginx]'
+end
+```
+
+## Contributing
+
+1. Fork the repository
+2. Create a named feature branch (like `add_component_x`)
+3. Write your change
+4. Write tests for your change (if applicable): If fixing a bug, please add regression tests for the RSpec (if possible) and the kitchen If adding a feature, please create basic tests for it, in both RSpec and kitchen
+5. Run the tests, ensuring they all pass, using `rake testing:user`
+6. Submit a Pull Request using Github Please **attach the test results** using a gist
+
+## License and Authors
+
+- Licensed [GPL v2](http://choosealicense.com/licenses/gpl-2.0/)
+- Author:: [Nitzan Raz](https://github.com/BackSlasher) ([backslasher](http://backslasher.net))
+- Maintainer Community:: Sous Chefs [help@sous-chefs.org](mailto:help@sous-chefs.org)

data/cookbooks/selinux_policy/Rakefile

@@ -0,0 +1,68 @@
+#!/usr/bin/env rake
+
+# Style tests. cookstyle (rubocop) and Foodcritic
+namespace :style do
+  begin
+    require 'cookstyle'
+    require 'rubocop/rake_task'
+
+    desc 'Run Ruby style checks'
+    RuboCop::RakeTask.new(:ruby)
+  rescue LoadError => e
+    puts ">>> Gem load error: #{e}, omitting #{task.name}" unless ENV['CI']
+  end
+
+  begin
+    require 'foodcritic'
+
+    desc 'Run Chef style checks'
+    FoodCritic::Rake::LintTask.new(:chef) do |t|
+      t.options = {
+        fail_tags: ['any'],
+        progress: true,
+        exclude: 'spec',
+      }
+    end
+  rescue LoadError => e
+    puts ">>> Gem load error: #{e}, omitting #{task.name}" unless ENV['CI']
+  end
+end
+
+desc 'Run all style checks'
+task style: ['style:chef', 'style:ruby']
+
+# ChefSpec
+begin
+  require 'rspec/core/rake_task'
+
+  desc 'Run ChefSpec examples'
+  RSpec::Core::RakeTask.new(:spec)
+rescue LoadError => e
+  puts ">>> Gem load error: #{e}, omitting #{task.name}" unless ENV['CI']
+end
+
+# Integration tests. Kitchen.ci
+namespace :integration do
+  begin
+    require 'kitchen/rake_tasks'
+
+    desc 'Run kitchen integration tests'
+    Kitchen::RakeTasks.new
+  rescue LoadError, StandardError => e
+    puts ">>> Gem load error: #{e}, omitting #{task.name}" unless ENV['CI']
+  end
+end
+
+namespace :supermarket do
+  begin
+    require 'stove/rake_task'
+
+    desc 'Publish cookbook to Supermarket with Stove'
+    Stove::RakeTask.new
+  rescue LoadError => e
+    puts ">>> Gem load error: #{e}, omitting #{task.name}" unless ENV['CI']
+  end
+end
+
+# Default
+task default: %w(style spec)

data/cookbooks/selinux_policy/TESTING.md

@@ -0,0 +1,2 @@
+Please refer to
+https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/TESTING.MD

data/cookbooks/selinux_policy/Thorfile

@@ -0,0 +1,12 @@
+# encoding: utf-8
+
+require 'bundler'
+require 'bundler/setup'
+require 'berkshelf/thor'
+
+begin
+  require 'kitchen/thor_tasks'
+  Kitchen::ThorTasks.new
+rescue LoadError
+  puts '>>>>> Kitchen gem not loaded, omitting tasks' unless ENV['CI']
+end

data/cookbooks/selinux_policy/attributes/default.rb

@@ -0,0 +1,5 @@
+# Cookbook: selinux_policy
+# Attribute file: default
+# 2015, GPLv2, Nitzan Raz (http://backslasher.net)
+
+default['selinux_policy']['allow_disabled'] = true

data/cookbooks/selinux_policy/chefignore

@@ -0,0 +1,102 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a chef-server or supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+Icon?
+nohup.out
+ehthumbs.db
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+\#*
+.#*
+*~
+*.sw[a-z]
+*.bak
+REVISION
+TAGS*
+tmtags
+*_flymake.*
+*_flymake
+*.tmproj
+.project
+.settings
+mkmf.log
+
+## COMPILED ##
+##############
+a.out
+*.o
+*.pyc
+*.so
+*.com
+*.class
+*.dll
+*.exe
+*/rdoc/
+
+# Testing #
+###########
+.watchr
+.rspec
+spec/*
+spec/fixtures/*
+test/*
+features/*
+examples/*
+Guardfile
+Procfile
+.kitchen*
+.rubocop.yml
+spec/*
+Rakefile
+.travis.yml
+.foodcritic
+.codeclimate.yml
+
+# SCM #
+#######
+.git
+*/.git
+.gitignore
+.gitmodules
+.gitconfig
+.gitattributes
+.svn
+*/.bzr/*
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Cookbooks #
+#############
+CONTRIBUTING*
+CHANGELOG*
+TESTING*
+MAINTAINERS.toml
+
+# Strainer #
+############
+Colanderfile
+Strainerfile
+.colander
+.strainer
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

data/cookbooks/selinux_policy/libraries/helper-disabled.rb

@@ -0,0 +1,29 @@
+# Cookbook: selinux_policy
+# Library: helper-disabled
+# 2015, GPLv2, Nitzan Raz (http://backslasher.net)
+
+require 'chef/mixin/shell_out'
+include Chef::Mixin::ShellOut
+
+class Chef
+  module SELinuxPolicy
+    module Helpers
+      # Checks if SELinux is disabled or otherwise unavailable and
+      # whether we're allowed to run when disabled
+      def use_selinux
+        begin
+          getenforce = shell_out!('getenforce')
+        rescue
+          selinux_disabled = true
+        else
+          selinux_disabled = getenforce.stdout =~ /disabled/i
+        end
+        allowed_disabled = node['selinux_policy']['allow_disabled']
+        # return false only when SELinux is disabled and it's allowed
+        return_val = !(selinux_disabled && allowed_disabled)
+        Chef::Log.warn('SELinux is disabled / unreachable, skipping') unless return_val
+        return_val
+      end
+    end
+  end
+end

data/cookbooks/selinux_policy/libraries/matchers.rb

@@ -0,0 +1,57 @@
+if defined?(ChefSpec)
+  def set_selinux_policy_boolean(resource_name) # rubocop:disable Style/AccessorMethodName
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_boolean, :set, resource_name)
+  end
+
+  def setpersist_selinux_policy_boolean(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_boolean, :setpersist, resource_name)
+  end
+
+  def add_selinux_policy_fcontext(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_fcontext, :add, resource_name)
+  end
+
+  def delete_selinux_policy_fcontext(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_fcontext, :delete, resource_name)
+  end
+
+  def modify_selinux_policy_fcontext(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_fcontext, :modify, resource_name)
+  end
+
+  def addormodify_selinux_policy_fcontext(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_fcontext, :addormodify, resource_name)
+  end
+
+  def deploy_selinux_policy_module(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_module, :deploy, resource_name)
+  end
+
+  def remove_selinux_policy_module(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_module, :remove, resource_name)
+  end
+
+  def add_selinux_policy_permissive(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_permissive, :add, resource_name)
+  end
+
+  def delete_selinux_policy_permissive(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_permissive, :delete, resource_name)
+  end
+
+  def add_selinux_policy_port(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_port, :add, resource_name)
+  end
+
+  def delete_selinux_policy_port(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_port, :delete, resource_name)
+  end
+
+  def modify_selinux_policy_port(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_port, :modify, resource_name)
+  end
+
+  def addormodify_selinux_policy_port(resource_name)
+    ChefSpec::Matchers::ResourceMatcher.new(:selinux_policy_port, :addormodify, resource_name)
+  end
+end