vagrant-clone 0.0.1 → 0.0.3

data/cookbooks/selinux_policy/metadata.json

@@ -0,0 +1,58 @@
+{
+  "name": "selinux_policy",
+  "description": "Manages SELinux policy components",
+  "long_description": "# SELinux Policy Cookbook\n\nThis cookbook can be used to manage SELinux policies and components (rather than just enable / disable enforcing). I made it because I needed some SELinux settings done, and the `execute`s started to look annoying.\n\n## Requirements\n\nNeeds an SELinux policy active (so its values can be managed). Can work with a disabled SELinux system (see attribute `allow_disabled`), which will generate warnings and do nothing (but won't break the run). Also requires SELinux's management tools, namely `semanage`, `setsebool` and `getsebool`. Tools are installed by the `selinux_policy::install` recipe (for RHEL/Debian and the like).\n\n### Chef\n\n- Chef 12.1+\n\n### Platforms\n\n- rhel\n- fedora\n\n## Attributes\n\nThese attributes affect the way all of the LWRPs are behaving.\n\n- `node['selinux_policy']['allow_disabled']` - Whether to allow runs when SELinux is disabled. Will generate warnings, but the run won't fail. Defaults to `true`, set to `false` if you don't have any machines with disabled SELinux.\n\n## Usage\n\n- `selinux_policy::install` - Installs SELinux policy management tools\n\nThis cookbook's functionality is exposed via resources, so it should be called from a wrapper cookbook. Remember to add `depends 'selinux_policy'` to your `metadata.rb`.\n\n### boolean\n\nRepresents an SELinux [boolean](http://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans). You can either `set` it, meaning it will be changed without persistence (it will revert to default in the next reboot), or `setpersist` it (default action), so it'll keep it value after rebooting. Using `setpersist` requires an active policy (so that the new value can be saved somewhere).\n\nAttributes:\n\n- `name`: boolean's name. Defaults to resource name.\n- `value`: Its new value (`true`/`false`).\n- `force`: Use `setsebool` even if the current value agrees with the requested one.\n\nExample usage:\n\n```ruby\ninclude_recipe 'selinux_policy::install'\n\nselinux_policy_boolean 'httpd_can_network_connect' do\n    value true\n    # Make sure nginx is started if this value was modified\n    notifies :start,'service[nginx]', :immediate\nend\n```\n\n**Note**: Due to ruby interperting `0` as `true`, using `value 0` is unwise.\n\n### port\n\nAllows assigning a network port to a certain SELinux context. As explained [here](http://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388), it can be useful for running Apache on a non-standard port.\n\nActions:\n\n- `addormodify` (default): Assigns the port to the right context, whether it's already listed another context or not at all.\n- `add`: Assigns the port to the right context it's if not listed (only uses `-a`).\n- `modify`: Changes the port's context if it's already listed (only uses `-m`).\n- `delete`: Removes the port's context if it's listed (uses `-d`).\n\nAttributes:\n\n- `port`: The port in question, defaults to resource name.\n- `protocol`: `tcp`/`udp`.\n- `secontext`: The SELinux context to assign the port to. Unnecessary when using `delete`.\n\nExample usage:\n\n```ruby\ninclude_recipe 'selinux_policy::install'\n\n# Allow nginx to bind to port 5678, by giving it the http_port_t context\nselinux_policy_port '5678' do\n    protocol 'tcp'\n    secontext 'http_port_t'\nend\n```\n\n### module\n\nManages SEModules\n\nActions:\n\n- `fetch`: Prepares the module's files for compilation. Allow `remote_directory`-like behavior\n- `compile`: Translates a module source directory into a `NAME.pp` file. Uses `make` logic for idempotence.\n- `install`: Adds a compiled module (`pp`) to the current policy. Only installs if the module was modified this run, `force` is enabled or it's missing from the current policy. **Note:** I wish I could compare the existing module to the one generated, but the `extract` capability was only added in [Aug 15](https://github.com/SELinuxProject/selinux/commit/65c6325271b54d3de9c17352a57d469dfbd12729). I'll be happy to see a better idea.\n- `deploy` (default): Runs `fetch`, `compile`, `install` in that order.\n- `remove`: Removes a module.\n\nAttributes:\n\n- `name`: The module name. Defaults to resource name.\n- `directory`: Directory where module is stored. Defaults to a directory inside the Chef cache.\n- `content`: The module content, can be extracted from `audit2allow -m NAME`. This can be used to create simple modules without using external files.\n- `directory_source`: Copies files cookbook to the module directory (uses `remote_directory`). Allows keeping all of the module's source files in the cookbook. **Note:** You can pre-create the module directory and populate it in any other way you'd choose.\n- `cookbook`: Modifies the source cookbook for the `remote_directory`.\n- `force`: Installs the module even if it seems fine. Ruins idempotence but should help solve some weird cases.\n\nExample usage:\n\n```ruby\ninclude_recipe 'selinux_policy::install'\n\n# Allow openvpn to write/delete in '/etc/openvpn'\nselinux_policy_module 'openvpn-googleauthenticator' do\n  content <<-eos\n    module dy-openvpn-googleauthenticator 1.0;\n\n    require {\n        type openvpn_t;\n        type openvpn_etc_t;\n        class file { write unlink };\n    }\n\n\n    #============= openvpn_t ==============\n    allow openvpn_t openvpn_etc_t:file { write unlink };\n  eos\n  action :deploy\nend\n```\n\n### fcontext\n\nAllows managing the SELinux context of files. This can be used to grant SELinux-protected daemons access to additional / moved files.\n\nActions:\n\n- `addormodify` (default): Assigns the file regexp to the right context, whether it's already listed another context or not at all.\n- `add`: Assigns the file regexp to the right context it's if not listed (only uses -a).\n- `modify`: Changes the file regexp context if it's already listed (only uses -m).\n- `delete`: Removes the file regexp context if it's listed (uses -d).\n\nAttributes:\n\n- `file_spec`: This is the file regexp in question, defaults to resource name.\n- `secontext`: The SELinux context to assign the file regexp to. Not required for `:delete`\n- `file_type`: Restrict the fcontext to specific file types. See the table below for an overview. See also <https://en.wikipedia.org/wiki/Unix_file_types> for more info\n- **a** All files\n- **f** Regular files\n- **d** Directory\n- **c** Character device\n- **b** Block device\n- **s** Socket\n- **l** Symbolic link\n- **p** Namedpipe\n\nExample usage (see mysql cookbook for example daemons ):\n\n```ruby\ninclude_recipe 'selinux_policy::install'\n\n# Allow http servers (nginx/apache) to modify moodle files\nselinux_policy_fcontext '/var/www/moodle(/.*)?' do\n  secontext 'httpd_sys_rw_content_t'\nend\n\n# Allow a custom mysql daemon to access its files.\n{'mysqld_etc_t' => \"/etc/mysql-#{service_name}(/.*)?\",\n'mysqld_etc_t' => \"/etc/mysql-#{service_name}/my\\.cnf\",\n'mysqld_log_t' => \"/var/log/mysql-#{service_name}(/.*)?\",\n'mysqld_db_t' => \"/opt/mysql_data_#{service_name}(/.*)?\",\n'mysqld_var_run_t' => \"/var/run/mysql-#{service_name}(/.*)?\",\n'mysqld_initrc_exec_t' => \"/etc/rc\\.d/init\\.d/mysql-#{service_name}\"}.each do |sc, f|\n  selinux_policy_fcontext f do\n    secontext sc\n  end\nend\n\n# Adapt a symbolic link\nselinux_policy_fcontext '/var/www/symlink_to_webroot' do\n  secontext 'httpd_sys_rw_content_t'\n  filetype 'l'\nend\n```\n\n### permissive\n\nAllows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.\n\nActions:\n\n- `add`: Adds a permissive, unless it's already added\n- `delete`: Deletes a permissive if it's listed\n\nExample usage:\n\n```ruby\ninclude_recipe 'selinux_policy::install'\n\n# Disable enforcement on Nginx\n# As described on http://nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/\n\nselinux_policy_permissive 'nginx' do\n  notifies :restart, 'service[nginx]'\nend\n```\n\n## Contributing\n\n1. Fork the repository\n2. Create a named feature branch (like `add_component_x`)\n3. Write your change\n4. Write tests for your change (if applicable): If fixing a bug, please add regression tests for the RSpec (if possible) and the kitchen If adding a feature, please create basic tests for it, in both RSpec and kitchen\n5. Run the tests, ensuring they all pass, using `rake testing:user`\n6. Submit a Pull Request using Github Please **attach the test results** using a gist\n\n## License and Authors\n\n- Licensed [GPL v2](http://choosealicense.com/licenses/gpl-2.0/)\n- Author:: [Nitzan Raz](https://github.com/BackSlasher) ([backslasher](http://backslasher.net))\n- Maintainer Community:: Sous Chefs [help@sous-chefs.org](mailto:help@sous-chefs.org)\n",
+  "maintainer": "Sous Chefs",
+  "maintainer_email": "help@sous-chefs.org",
+  "license": "GPL v2",
+  "platforms": {
+    "redhat": ">= 0.0.0",
+    "centos": ">= 0.0.0",
+    "fedora": ">= 0.0.0",
+    "ubuntu": ">= 0.0.0",
+    "debian": ">= 0.0.0",
+    "amazon": ">= 0.0.0"
+  },
+  "dependencies": {
+    "compat_resource": ">= 12.16.3"
+  },
+  "recommendations": {
+
+  },
+  "suggestions": {
+
+  },
+  "conflicting": {
+
+  },
+  "providing": {
+
+  },
+  "replacing": {
+
+  },
+  "attributes": {
+
+  },
+  "groupings": {
+
+  },
+  "recipes": {
+
+  },
+  "version": "2.0.1",
+  "source_url": "https://github.com/sous-chefs/selinux_policy",
+  "issues_url": "https://github.com/sous-chefs/selinux_policy/issues",
+  "privacy": false,
+  "chef_versions": [
+    [
+      ">= 12.1"
+    ]
+  ],
+  "ohai_versions": [
+
+  ],
+  "gems": [
+
+  ]
+}

data/cookbooks/selinux_policy/metadata.rb

@@ -0,0 +1,20 @@
+name             'selinux_policy'
+maintainer       'Sous Chefs'
+maintainer_email 'help@sous-chefs.org'
+license          'GPL v2'
+description      'Manages SELinux policy components'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version          '2.0.1'
+
+supports 'redhat'
+supports 'centos'
+supports 'fedora'
+supports 'ubuntu'
+supports 'debian'
+supports 'amazon'
+
+depends 'compat_resource', '>= 12.16.3'
+
+source_url 'https://github.com/sous-chefs/selinux_policy'
+issues_url 'https://github.com/sous-chefs/selinux_policy/issues'
+chef_version '>= 12.1' if respond_to?(:chef_version)

data/cookbooks/selinux_policy/providers/boolean.rb

@@ -0,0 +1,28 @@
+include Chef::SELinuxPolicy::Helpers
+
+# Support whyrun
+def whyrun_supported?
+  true
+end
+
+use_inline_resources
+
+# Set for now, without persisting
+action :set do
+  sebool(false)
+end
+
+# Set and persist
+action :setpersist do
+  sebool(true)
+end
+
+def sebool(persist = false)
+  persist_string = persist ? '-P ' :  ''
+  new_value = new_resource.value ? 'on' : 'off'
+  execute "selinux-setbool-#{new_resource.name}-#{new_value}" do
+    command "/usr/sbin/setsebool #{persist_string} #{new_resource.name} #{new_value}"
+    not_if "/usr/sbin/getsebool #{new_resource.name} | grep '#{new_value}$' >/dev/null" unless new_resource.force
+    only_if { use_selinux }
+  end
+end

data/cookbooks/selinux_policy/providers/fcontext.rb

@@ -0,0 +1,78 @@
+include Chef::SELinuxPolicy::Helpers
+
+# Support whyrun
+def whyrun_supported?
+  true
+end
+
+def fcontext_defined(file_spec, file_type, label = nil)
+  file_hash = {
+    'a' => 'all files',
+    'f' => 'regular file',
+    'd' => 'directory',
+    'c' => 'character device',
+    'b' => 'block device',
+    's' => 'socket',
+    'l' => 'symbolic link',
+    'p' => 'named pipe',
+  }
+
+  label_matcher = label ? "system_u:object_r:#{Regexp.escape(label)}:s0\\s*$" : ''
+  "semanage fcontext -l | grep -qP '^#{Regexp.escape(file_spec)}\\s+#{Regexp.escape(file_hash[file_type])}\\s+#{label_matcher}'"
+end
+
+def semanage_options(file_type)
+  # Set options for file_type
+  if node['platform_family'].include?('rhel') && Chef::VersionConstraint.new('< 7.0').include?(node['platform_version'])
+    case file_type
+    when 'a' then '-f ""'
+    when 'f' then '-f --'
+    else; "-f -#{file_type}"
+    end
+  else
+    "-f #{file_type}"
+  end
+end
+
+use_inline_resources
+
+# Run restorecon to fix label
+action :relabel do
+  res = shell_out!('find', '/', '-regextype', 'posix-egrep', '-regex', new_resource.file_spec, '-execdir', 'restorecon', '-iRv', '{}', ';')
+  new_resource.updated_by_last_action(true) unless res.stdout.empty?
+end
+
+# Create if doesn't exist, do not touch if fcontext is already registered
+action :add do
+  execute "selinux-fcontext-#{new_resource.secontext}-add" do
+    command "/usr/sbin/semanage fcontext -a #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
+    not_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
+    only_if { use_selinux }
+    notifies :relabel, new_resource, :immediate
+  end
+end
+
+# Delete if exists
+action :delete do
+  execute "selinux-fcontext-#{new_resource.secontext}-delete" do
+    command "/usr/sbin/semanage fcontext #{semanage_options(new_resource.file_type)} -d '#{new_resource.file_spec}'"
+    only_if fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
+    only_if { use_selinux }
+    notifies :relabel, new_resource, :immediate
+  end
+end
+
+action :modify do
+  execute "selinux-fcontext-#{new_resource.secontext}-modify" do
+    command "/usr/sbin/semanage fcontext -m #{semanage_options(new_resource.file_type)} -t #{new_resource.secontext} '#{new_resource.file_spec}'"
+    only_if { use_selinux }
+    only_if fcontext_defined(new_resource.file_spec, new_resource.file_type)
+    not_if  fcontext_defined(new_resource.file_spec, new_resource.file_type, new_resource.secontext)
+    notifies :relabel, new_resource, :immediate
+  end
+end
+
+action :addormodify do
+  run_action(:add)
+  run_action(:modify)
+end

data/cookbooks/selinux_policy/providers/module.rb

@@ -0,0 +1,81 @@
+include Chef::SELinuxPolicy::Helpers
+
+# Support whyrun
+def whyrun_supported?
+  true
+end
+
+def module_defined(name)
+  "/usr/sbin/semodule -l | grep -w '^#{name}'"
+end
+
+def shell_boolean(expression)
+  expression ? 'true' : 'false'
+end
+
+use_inline_resources
+
+# Get all the components in the right place
+action :fetch do
+  directory new_resource.directory do
+    only_if { use_selinux }
+  end
+
+  raise 'dont specify both directory_source and content' if new_resource.directory_source && new_resource.content
+
+  if new_resource.directory_source # ~FC023
+    remote_directory new_resource.directory do
+      source new_resource.directory_source
+      cookbook new_resource.cookbook
+      only_if { use_selinux }
+    end
+  end
+
+  if new_resource.content
+    file "#{new_resource.directory}/#{new_resource.module_name}.te" do
+      content new_resource.content
+      only_if { use_selinux }
+    end
+  end
+end
+
+# compile the module
+# XXX allow modifyable path
+action :compile do
+  make_command = "/usr/bin/make -f /usr/share/selinux/devel/Makefile #{new_resource.module_name}.pp"
+  execute "semodule-compile-#{new_resource.module_name}" do
+    command make_command
+    not_if "#{make_command} -q", cwd: new_resource.directory # $? = 1 means make wants to execute http://www.gnu.org/software/make/manual/html_node/Running.html
+    only_if { use_selinux }
+    cwd new_resource.directory
+  end
+end
+
+# deploy / upgrade module
+# XXX this looks ugly AF because CentOS 6.X doesn't support extracting
+# SELinux modules from the current policy, which I planned on comparing
+# to my compiled file. I'll be happy to see anything else (that works).
+action :install do
+  filename = "#{new_resource.directory}/#{new_resource.module_name}.pp"
+  execute "semodule-install-#{new_resource.module_name}" do
+    command "/usr/sbin/semodule -i #{filename}"
+    only_if "#{shell_boolean(new_resource.updated_by_last_action? || new_resource.force)} || ! (#{module_defined(new_resource.module_name)}) "
+    only_if { use_selinux }
+  end
+end
+
+# deploy should do all three, as it used to do
+action :deploy do
+  run_action(:fetch)
+  run_action(:compile)
+  run_action(:install)
+end
+
+# remove module
+action :remove do
+  execute "semodule-remove-#{new_resource.module_name}" do
+    command "/usr/sbin/semodule -r #{new_resource.module_name}"
+    only_if module_defined(new_resource.module_name)
+    only_if { use_selinux }
+  end
+end

data/cookbooks/selinux_policy/providers/permissive.rb

@@ -0,0 +1,26 @@
+include Chef::SELinuxPolicy::Helpers
+
+# Support whyrun
+def whyrun_supported?
+  true
+end
+
+use_inline_resources
+
+# Create if doesn't exist, do not touch if port is already registered (even under different type)
+action :add do
+  execute "selinux-permissive-#{new_resource.name}-add" do
+    command "/usr/sbin/semanage permissive -a '#{new_resource.name}'"
+    not_if  "/usr/sbin/semanage permissive -l | grep  '^#{new_resource.name}$'"
+    only_if { use_selinux }
+  end
+end
+
+# Delete if exists
+action :delete do
+  execute "selinux-port-#{new_resource.name}-delete" do
+    command "/usr/sbin/semanage permissive -d '#{new_resource.name}'"
+    not_if  "/usr/sbin/semanage permissive -l | grep  '^#{new_resource.name}$'"
+    only_if { use_selinux }
+  end
+end

data/cookbooks/selinux_policy/providers/port.rb

@@ -0,0 +1,58 @@
+include Chef::SELinuxPolicy::Helpers
+
+# Support whyrun
+def whyrun_supported?
+  true
+end
+
+def port_defined(protocol, port, label = nil)
+  base_command = "seinfo --protocol=#{protocol} --portcon=#{port} | awk -F: '$(NF-1) !~ /reserved_port_t$/ {print $(NF-1)}'"
+  grep = if label
+           "grep -P '#{Regexp.escape(label)}'"
+         else
+           'grep -q ^'
+         end
+  "#{base_command} | #{grep}"
+end
+
+def validate_port(port)
+  raise ArgumentError, "port value: #{port} is invalid." unless port.to_s =~ /^\d+$/
+end
+
+use_inline_resources
+
+# Create if doesn't exist, do not touch if port is already registered (even under different type)
+action :add do
+  validate_port(new_resource.port)
+  execute "selinux-port-#{new_resource.port}-add" do
+    command "/usr/sbin/semanage port -a -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
+    not_if port_defined(new_resource.protocol, new_resource.port)
+    only_if { use_selinux }
+  end
+end
+
+# Delete if exists
+action :delete do
+  validate_port(new_resource.port)
+  execute "selinux-port-#{new_resource.port}-delete" do
+    command "/usr/sbin/semanage port -d -p #{new_resource.protocol} #{new_resource.port}"
+    only_if port_defined(new_resource.protocol, new_resource.port)
+    only_if { use_selinux }
+  end
+end
+
+action :modify do
+  execute "selinux-port-#{new_resource.port}-modify" do
+    command "/usr/sbin/semanage port -m -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
+    only_if port_defined(new_resource.protocol, new_resource.port)
+    not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
+    only_if { use_selinux }
+  end
+end
+
+action :addormodify do
+  # Try to add new port
+  run_action(:add)
+  # Try to modify existing port
+  run_action(:modify)
+end

data/cookbooks/selinux_policy/recipes/default.rb

@@ -0,0 +1,9 @@
+#
+# Cookbook Name:: selinux_policy
+# Recipe:: default
+#
+# Copyright 2014, BackSlasher
+#
+# GPLv2
+#
+# Nothing's here!

data/cookbooks/selinux_policy/recipes/install.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook Name:: selinux_policy
+# Recipe:: install
+#
+# Copyright 2014, BackSlasher
+#
+# GPLv2
+#
+case node['platform_family']
+when 'debian'
+  raise 'Install SELinux manually on Ubuntu. See https://wiki.ubuntu.com/SELinux' if node['platform'] == 'ubuntu'
+  pkgs = ['policycoreutils', 'selinux-policy-dev', 'setools', 'make']
+when 'rhel'
+  case node['platform_version'].to_i
+  when 5
+    # policycoreutils-python does not exist in RHEL5
+    pkgs = ['policycoreutils', 'selinux-policy-devel', 'setools-console', 'make']
+  when 6
+    # selinux-policy-devel does not exist in RHEL6
+    pkgs = ['policycoreutils-python', 'selinux-policy', 'setools-console', 'make']
+  when 7
+    pkgs = ['policycoreutils-python', 'selinux-policy-devel', 'setools-console', 'make']
+  else
+    raise 'Unknown version of RHEL/derivative, cannot determine required package names'
+  end
+when 'fedora'
+  pkgs = ['policycoreutils-python', 'selinux-policy-devel', 'setools-console', 'make']
+else
+  raise 'Unknown distro, cannot determine required package names'
+end
+
+pkgs.each { |p| package p }

data/cookbooks/selinux_policy/resources/boolean.rb

@@ -0,0 +1,8 @@
+# A resource for managing SELinux Booleans
+
+actions :set, :setpersist
+default_action :setpersist
+
+attribute :name, kind_of: String, name_attribute: true
+attribute :value, kind_of: [TrueClass, FalseClass]
+attribute :force, kind_of: [TrueClass, FalseClass], default: false

data/cookbooks/selinux_policy/resources/fcontext.rb

@@ -0,0 +1,8 @@
+# Manages file specs in SELinux
+# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
+
+actions :add, :delete, :modify, :addormodify, :relabel
+default_action :addormodify
+attribute :file_spec, kind_of: String, name_attribute: true
+attribute :secontext, kind_of: String
+attribute :file_type, kind_of: String, default: 'a', equal_to: %w(a f d c b s l p)

data/cookbooks/selinux_policy/resources/module.rb

@@ -0,0 +1,21 @@
+# A resource for managing SE modules
+
+actions :deploy, :fetch, :compile, :install, :remove
+default_action :deploy
+
+attribute :module_name, kind_of: String, name_attribute: true
+attribute :force, kind_of: [TrueClass, FalseClass], default: false
+
+attribute :directory, kind_of: String, default: nil # content to work with. Defaults to autogenerated name in the Chef cache. Can be provided and pre-populated
+def directory(arg = nil)
+  if arg || @directory
+    set_or_return(:directory, arg, kind_of: String)
+  else
+    "#{Chef::Config[:file_cache_path]}/#{module_name}"
+  end
+end
+
+# Content options:
+attribute :content, kind_of: String, default: nil # provide a 'te' file directly. Optional
+attribute :directory_source, kind_of: String, default: nil # Source directory for module source code. If specified, will use "remote_directory" on the directory specified as `directory`
+attribute :cookbook, kind_of: String, default: nil # Related to directory

data/cookbooks/selinux_policy/resources/permissive.rb

@@ -0,0 +1,6 @@
+# a resource for managing selinux permissive contexts
+
+actions :add, :delete
+default_action :add
+
+attribute :name, kind_of: String, name_attribute: true

data/cookbooks/selinux_policy/resources/port.rb

@@ -0,0 +1,9 @@
+# Manages a port assignment in SELinux
+# See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
+
+actions :add, :delete, :modify, :addormodify
+default_action :addormodify
+
+attribute :port, kind_of: [Integer, String], name_attribute: true
+attribute :protocol, kind_of: String, equal_to: %w(tcp udp)
+attribute :secontext, kind_of: String

data/cookbooks/seven_zip/CHANGELOG.md

@@ -0,0 +1,30 @@
+seven_zip Cookbook CHANGELOG
+========================
+This file is used to list changes made in each version of the seven_zip cookbook.
+
+v2.0.2
+------
+- Add timeout to extract action on seven\_zip resource and configurable default\_extract_timeout attribute.
+
+v2.0.1
+------
+- [GH Issue 21 - NoMethodError: Undefined method or attribute `kernel' on `node'](https://github.com/daptiv/seven_zip/issues/21).
+
+v2.0.0
+------
+- [Upgrade to 7-Zip 15.14](https://github.com/daptiv/seven_zip/pull/9).
+- [7-Zip now installed to the default MSI location by default](https://github.com/daptiv/seven_zip/pull/11).
+- [7z.exe is located using the Windows registry unless the home attribute is explicitly set](https://github.com/daptiv/seven_zip/pull/10).
+- [7-Zip is only added to the Windows PATH if the syspath attribute is set](https://github.com/daptiv/seven_zip/pull/11).
+- [Installation idempotence check was fixed](https://github.com/daptiv/seven_zip/pull/14), package name was corrected.
+- [TravisCI build added](https://github.com/daptiv/seven_zip/pull/12).
+- [ServerSpec tests added](https://github.com/daptiv/seven_zip/pull/9)
+- [Document Archive LRWP](https://github.com/daptiv/seven_zip/pull/6)
+
+v1.0.2
+------
+- [COOK-3476 - Upgrade to 7-zip 9.22](https://tickets.opscode.com/browse/COOK-3476)
+
+1.0.0
+-----
+- initial release

data/cookbooks/seven_zip/README.md

@@ -0,0 +1,108 @@
+[![Cookbook Version](http://img.shields.io/cookbook/v/seven_zip.svg)](https://supermarket.chef.io/cookbooks/seven_zip)
+[![Build status](https://ci.appveyor.com/api/projects/status/y1lsnlkd2b3q6gfd/branch/master?svg=true)](https://ci.appveyor.com/project/ChefWindowsCookbooks65871/seven-zip/branch/master)
+
+# seven_zip Cookbook
+[7-Zip](http://www.7-zip.org/) is a file archiver with a high compression ratio. This cookbook installs the full 7-zip suite of tools (GUI and CLI). This cookbook replaces the older [7-zip cookbook](https://github.com/sneal/7-zip).
+
+# Requirements
+## Platforms
+- Windows XP
+- Windows Vista
+- Windows 7
+- Windows 8, 8.1
+- Windows 10
+- Windows Server 2003 R2
+- Windows Server 2008 (R1, R2)
+- Windows Server 2012 (R1, R2)
+
+## Chef
+- Chef >= 11.6
+
+## Cookbooks
+- windows
+
+# Attributes
+## Optional
+<table>
+  <tr>
+    <th>Key</th>
+    <th>Type</th>
+    <th>Description</th>
+    <th>Default</th>
+  </tr>
+  <tr>
+    <td><code>['seven_zip']['home']</code></td>
+    <td>String</td>
+    <td>7-Zip installation directory.</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td><code>['seven_zip']['syspath']</code></td>
+    <td>Boolean</td>
+    <td>If true, adds 7-zip directory to system PATH environment variable.</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td><code>['seven_zip']['default_extract_timeout']</code></td>
+    <td>Integer</td>
+    <td>The default timeout for an extract operation in seconds. This can be overridden by a resource attribute.</td>
+    <td>600</td>
+  </tr>
+</table>
+
+# Usage
+## default
+
+Add `seven_zip::default` to your run\_list which will download and install 7-zip for the current Windows platform. 
+
+# Resource/Provider
+## seven_zip_archive
+Extracts a 7-zip compatible archive (iso, zip, 7z etc) to the specified destination directory.
+
+#### Actions
+- `:extract` - Extract a 7-zip compatible archive
+
+#### Attribute Parameters
+- `path` - Name attribute. The destination to extract to.
+- `source` - The file path to the archive to extract.
+- `overwrite` - Defaults to false. If true, the destination files will be overwritten.
+- `checksum` - The archive file checksum.
+- `timeout` - The extract action timeout in seconds, defaults to `node['seven_zip']['default_extract_timeout']`.
+
+#### Examples
+Extract 7-zip source files to `C:\seven_zip_source`.
+
+```ruby
+seven_zip_archive 'seven_zip_source' do
+  path      'C:\seven_zip_source'
+  source    'http://www.7-zip.org/a/7z1514-src.7z'
+  overwrite true
+  checksum  '3713aed72728eae8f6649e4803eba0b3676785200c76df6269034c520df4bbd5'
+  timeout   30
+end
+```
+
+# Recipes
+## default
+
+Installs 7-zip and adds it to your system PATH.
+
+# License & Authors
+- Author:: Seth Chisamore (<schisamo@chef.io>)
+- Author:: Shawn Neal (<sneal@sneal.net>)
+
+```text
+Copyright:: 2011-2016, Chef Software, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```

data/cookbooks/seven_zip/attributes/default.rb

@@ -0,0 +1,31 @@
+#
+# Author:: Seth Chisamore (<schisamo@chef.io>)
+# Cookbook Name:: seven_zip
+# Attribute:: default
+#
+# Copyright:: Copyright (c) 2011-2016 Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+if node['kernel']['machine'] == 'x86_64'
+  default['seven_zip']['url']          = 'http://www.7-zip.org/a/7z1514-x64.msi'
+  default['seven_zip']['checksum']     = 'cefe1a9092d8a6be68468c33910d6206b40e934fb63cab686c5cccf369fbf712'
+  default['seven_zip']['package_name'] = '7-Zip 15.14 (x64 edition)'
+else
+  default['seven_zip']['url']          = 'http://www.7-zip.org/a/7z1514.msi'
+  default['seven_zip']['checksum']     = 'eaf58e29941d8ca95045946949d75d9b5455fac167df979a7f8e4a6bf2d39680'
+  default['seven_zip']['package_name'] = '7-Zip 15.14'
+end
+
+default['seven_zip']['default_extract_timeout'] = 600