cookbook 'selinux', '= 1.0.1'
selinux
(61) Versions
1.0.1
-
-
6.2.1
-
6.2.0
-
6.1.19
-
6.1.18
-
6.1.17
-
6.1.16
-
6.1.15
-
6.1.14
-
6.1.13
-
6.1.12
-
6.1.11
-
6.1.10
-
6.1.9
-
6.1.8
-
6.1.7
-
6.1.6
-
6.1.5
-
6.1.4
-
6.1.3
-
6.1.2
-
6.1.1
-
6.1.0
-
6.0.7
-
6.0.6
-
6.0.5
-
6.0.4
-
6.0.3
-
6.0.2
-
6.0.1
-
6.0.0
-
5.1.1
-
5.1.0
-
5.0.0
-
4.0.0
-
3.1.1
-
3.1.0
-
3.0.2
-
3.0.1
-
3.0.0
-
2.1.1
-
2.1.0
-
2.0.3
-
2.0.2
-
2.0.1
-
2.0.0
-
1.0.4
-
1.0.3
-
1.0.2
-
1.0.1
-
1.0.0
-
0.9.0
-
0.8.0
-
0.7.2
-
0.7.0
-
0.6.2
-
0.6.0
-
0.5.6
-
0.5.4
-
0.5.2
-
0.5.0
-
0.1.0
Follow73
- 6.2.1
- 6.2.0
- 6.1.19
- 6.1.18
- 6.1.17
- 6.1.16
- 6.1.15
- 6.1.14
- 6.1.13
- 6.1.12
- 6.1.11
- 6.1.10
- 6.1.9
- 6.1.8
- 6.1.7
- 6.1.6
- 6.1.5
- 6.1.4
- 6.1.3
- 6.1.2
- 6.1.1
- 6.1.0
- 6.0.7
- 6.0.6
- 6.0.5
- 6.0.4
- 6.0.3
- 6.0.2
- 6.0.1
- 6.0.0
- 5.1.1
- 5.1.0
- 5.0.0
- 4.0.0
- 3.1.1
- 3.1.0
- 3.0.2
- 3.0.1
- 3.0.0
- 2.1.1
- 2.1.0
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.0.4
- 1.0.3
- 1.0.2
- 1.0.1
- 1.0.0
- 0.9.0
- 0.8.0
- 0.7.2
- 0.7.0
- 0.6.2
- 0.6.0
- 0.5.6
- 0.5.4
- 0.5.2
- 0.5.0
- 0.1.0
Manages SELinux policy state and rules.
cookbook 'selinux', '= 1.0.1', :supermarket
knife supermarket install selinux
knife supermarket download selinux
SELinux Cookbook
The SELinux (Security Enhanced Linux) cookbook provides recipes for manipulating SELinux policy enforcement state.
SELinux can have one of 3 settings
- Enforcing
- Watches all system access checks, stops all 'Denied access'
- Default mode on RHEL systems
- Permissive
- Allows access but reports violations
- Disabled
- Disables SELinux from the system but is only read at boot time. If you set this flag, you must reboot.
Disable SELinux only if you plan to not use it. Use Permissive
mode if you just need to debug your system.
Requirements
- Chef 12.5 or higher
Platform:
The following platforms have been tested with Test Kitchen:
centos-6
centos-7
On debian and ubuntu systems if you want to enable SELinux you will need to do a few extra steps. As these are potentially destructive, rather than adding them to this cookbook adding this information here:
-
selinux-activate - Running
selinux-activate
will add parameters to the kernel, update grub configuration files, and set the file system to relabel upon reboot - reboot for settings to take effect.
Usage
Attributes
-
node['selinux']['booleans']
- A hash of SELinux boolean names and the values they should be set to. Values can be off, false, or 0 to disable; or on, true, or 1 to enable.
Resources Overview
selinux_state
The selinux_state
resource is used to manage the SELinux state on the
system. It does this by using the setenforce
command and rendering
the /etc/selinux/config
file from a template.
Actions
-
:nothing
- default action, does nothing -
:enforcing
- Sets SELinux to enforcing. -
:disabled
- Sets SELinux to disabled. -
:permissive
- Sets SELinux to permissive.
Attributes
-
temporary
- true, false, default false. Allows the temporary change between permisive and enabled states which don't require a reboot. -
selinuxtype
- targeted, mls, default targeted. Determines the policy that will be configured in the/etc/selinux/config
file. The default value istargeted
which enables selinux in a mode where only selected processes are protected.mls
is multilevel security which enables selinux in a mode where all processes are protected. #### Examples
Simply set SELinux to enforcing or permissive:
selinux_state "SELinux Enforcing" do
action :enforcing
end
selinux_state "SELinux Permissive" do
action :permissive
end
The action here is based on the value of the
node['selinux']['state']
attribute, which we convert to lower-case
and make a symbol to pass to the action.
selinux_state "SELinux #{node['selinux']['state'].capitalize}" do
action node['selinux']['state'].downcase.to_sym
end
selinux_install
The selinux_install
resource is used to encapsulate the set of selinux packages to install in order to manage selinux. It also ensures the directory /etc/selinux
is created.
Recipes
All recipes will deprecate in the near future as they are just using the selinux_state
resource.
default
The default recipe will use the attribute node['selinux']['state']
in the selinux_state
LWRP's action. By default, this will be :enforcing
.
enforcing
This recipe will use :enforcing
as the selinux_state
action.
permissive
This recipe will use :permissive
as the selinux_state
action.
disabled
This recipe will use :disabled
as the selinux_state
action.
Usage
By default, this cookbook will have SELinux enforcing by default, as
the default recipe uses the node['selinux']['state']
attribute,
which is "enforcing." This is in line with the policy of enforcing by
default on RHEL family distributions.
You can simply set the attribute in a role applied to the node:
name "base"
description "Base role applied to all nodes."
default_attributes(
"selinux" => {
"state" => "permissive"
}
)
Or, you can apply the recipe to the run list (e.g., in a role):
name "base"
description "Base role applied to all nodes."
run_list(
"recipe[selinux::permissive]",
)
License & Authors
Author: Sean OMeara (sean@sean.io)
Author: Joshua Timberman (joshua@chef.io)
Author: Jennifer Davis (sigje@chef.io)
Copyright: 2008-2017, Chef Software, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
selinux Cookbook CHANGELOG
1.0.1 (2017-02-26)
- Fix logic error in the permissive state change
1.0.0 (2017-02-26)
- Update to current cookbook engineering standards
- Removed property
state
of resourceselinux_state
asstate
overwrites an existing method. Chef 13 exception fix. - Rewrite LWRP to 12.5 resources
- Resolved cookstyle errors
- Update package information for debian based on https://debian-handbook.info/browse/stable/sect.selinux.html
- selinux-activate looks like it's required to ACTUALLY activate selinux on non-RHEL systems. This seems like it could be destructive if unexpected.
- Add property temporary to allow for switching between permissive and enabled
- Add install resource
v0.9.0 (2015-02-22)
- Initial Debian / Ubuntu support
- Various bug fixes
v0.8.0 (2014-04-23)
- [COOK-4528] - Fix selinux directory permissions
- [COOK-4562] - Basic support for Ubuntu/Debian
v0.7.2 (2014-03-24)
handling minimal installs
v0.7.0 (2014-02-27)
[COOK-4218] Support setting SELinux boolean values
v0.6.2
- Fixing bug introduced in 0.6.0
- adding basic test-kitchen coverage
v0.6.0
- [COOK-760] - selinux enforce/permit/disable based on attribute
v0.5.6
- [COOK-2124] - enforcing recipe fails if selinux is disabled
v0.5.4
- [COOK-1277] - disabled recipe fails on systems w/o selinux installed
v0.5.2
- [COOK-789] - fix dangling commas causing syntax error on some rubies
v0.5.0
- [COOK-678] - add the selinux cookbook to the repository
- Use main selinux config file (/etc/selinux/config)
- Use getenforce instead of selinuxenabled for enforcing and permissive
Collaborator Number Metric
1.0.1 passed this metric
Foodcritic Metric
1.0.1 passed this metric
License Metric
1.0.1 failed this metric
selinux does not have a valid open source license.
Acceptable licenses include Apache 2.0, apachev2, MIT, mit, GNU Public License 2.0, gplv2, GNU Public License 3.0, gplv3.
1.0.1 passed this metric
1.0.1 passed this metric
License Metric
1.0.1 failed this metric
selinux does not have a valid open source license.
Acceptable licenses include Apache 2.0, apachev2, MIT, mit, GNU Public License 2.0, gplv2, GNU Public License 3.0, gplv3.
1.0.1 failed this metric
Acceptable licenses include Apache 2.0, apachev2, MIT, mit, GNU Public License 2.0, gplv2, GNU Public License 3.0, gplv3.