diff options
author | John McCrae <john.mccrae@progress.com> | 2023-03-07 14:14:41 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-03-07 14:14:41 -0800 |
commit | 36371b5f8ffa96c587286ac97a465d9f18c627ac (patch) | |
tree | 6ff45eb1ca45425a30dfe6b5432366d6578ebd99 /lib/chef | |
parent | 103f17e4e3ab1c59f6385ab5539a9213411983c1 (diff) | |
parent | 83ad814c23d2b55411bd2f8d9e412008cfb81368 (diff) | |
download | chef-36371b5f8ffa96c587286ac97a465d9f18c627ac.tar.gz |
Merge branch 'main' into jfm/chef18_test_buildjfm/chef18_test_build
Diffstat (limited to 'lib/chef')
-rw-r--r-- | lib/chef/resource/macos_userdefaults.rb | 14 | ||||
-rw-r--r-- | lib/chef/resource/selinux_login.rb | 129 | ||||
-rw-r--r-- | lib/chef/resource/selinux_user.rb | 137 | ||||
-rw-r--r-- | lib/chef/resources.rb | 2 | ||||
-rw-r--r-- | lib/chef/version.rb | 2 |
5 files changed, 278 insertions, 6 deletions
diff --git a/lib/chef/resource/macos_userdefaults.rb b/lib/chef/resource/macos_userdefaults.rb index 7559990d3a..558188c932 100644 --- a/lib/chef/resource/macos_userdefaults.rb +++ b/lib/chef/resource/macos_userdefaults.rb @@ -50,15 +50,17 @@ class Chef end ``` - **Specifying the type of a key to skip automatic type detection** + **Setting a value for specific user and hosts** ```ruby - macos_userdefaults 'Finder expanded save dialogs' do - key 'NSNavPanelExpandedStateForSaveMode' - value 'TRUE' - type 'bool' + macos_userdefaults 'Enable macOS firewall' do + key 'globalstate' + value 1 + user 'jane' + host :current end ``` + DOC property :domain, String, @@ -79,6 +81,7 @@ class Chef property :host, [String, Symbol], description: "Set either :current, :all or a hostname to set the user default at the host level.", + default: :all, desired_state: false, introduced: "16.3" @@ -94,6 +97,7 @@ class Chef property :user, [String, Symbol], description: "The system user that the default will be applied to. Set :current for current user, :all for all users or pass a valid username", + default: :current, desired_state: false property :sudo, [TrueClass, FalseClass], diff --git a/lib/chef/resource/selinux_login.rb b/lib/chef/resource/selinux_login.rb new file mode 100644 index 0000000000..f634b2cb9c --- /dev/null +++ b/lib/chef/resource/selinux_login.rb @@ -0,0 +1,129 @@ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require_relative "../resource" +require_relative "selinux/common_helpers" + +class Chef + class Resource + class SelinuxLogin < Chef::Resource + unified_mode true + + provides :selinux_login + + description "Use the **selinux_login** resource to add, update, or remove SELinux user to OS login mappings." + introduced "18.1" + examples <<~DOC + **Manage test OS user mapping with a range of s0 and associated SELinux user test_u**: + + ```ruby + selinux_login 'test' do + user 'test_u' + range 's0' + end + ``` + DOC + + property :login, String, + name_property: true, + description: "An optional property to set the OS user login value if it differs from the resource block's name." + + property :user, String, + description: "SELinux user to be mapped." + + property :range, String, + description: "MLS/MCS security range for the SELinux user." + + load_current_value do |new_resource| + logins = shell_out!("semanage login -l").stdout.split("\n") + + current_login = logins.grep(/^#{Regexp.escape(new_resource.login)}\s+/) do |l| + l.match(/^(?<login>[^\s]+)\s+(?<user>[^\s]+)\s+(?<range>[^\s]+)/) + # match returns [<Match 'data'>] or [], shift converts that to <Match 'data'> or nil + end.shift + + current_value_does_not_exist! unless current_login + + # Existing resources should maintain their current configuration unless otherwise specified + new_resource.user ||= current_login[:user] + new_resource.range ||= current_login[:range] + + user current_login[:user] + range current_login[:range] + end + + action_class do + include Chef::SELinux::CommonHelpers + + def semanage_login_args + # Generate arguments for semanage login -a or -m + args = "" + + args += " -s #{new_resource.user}" if new_resource.user + args += " -r #{new_resource.range}" if new_resource.range + + args + end + end + + action :manage, description: "Sets the SELinux login mapping to the desired settings regardless of previous state." do + run_action(:add) + run_action(:modify) + end + + # Create if doesn't exist, do not touch if user already exists + action :add, description: "Creates the SELinux login mapping if not previously created." do + raise "The user property must be populated to create a new SELinux login" if new_resource.user.to_s.empty? + + if selinux_disabled? + Chef::Log.warn("Unable to add SELinux login #{new_resource.login} as SELinux is disabled") + return + end + + unless current_resource + converge_if_changed do + shell_out!("semanage login -a#{semanage_login_args} #{new_resource.login}") + end + end + end + + # Only modify port if it exists & doesn't have the correct context already + action :modify, description: "Updates the SELinux login mapping if previously created." do + if selinux_disabled? + Chef::Log.warn("Unable to modify SELinux login #{new_resource.login} as SELinux is disabled") + return + end + + if current_resource + converge_if_changed do + shell_out!("semanage login -m#{semanage_login_args} #{new_resource.login}") + end + end + end + + # Delete if exists + action :delete, description: "Removes the SELinux login mapping if previously created." do + if selinux_disabled? + Chef::Log.warn("Unable to delete SELinux login #{new_resource.login} as SELinux is disabled") + return + end + + if current_resource + converge_by "deleting SELinux login #{new_resource.login}" do + shell_out!("semanage login -d #{new_resource.login}") + end + end + end + end + end +end diff --git a/lib/chef/resource/selinux_user.rb b/lib/chef/resource/selinux_user.rb new file mode 100644 index 0000000000..ca8d69c919 --- /dev/null +++ b/lib/chef/resource/selinux_user.rb @@ -0,0 +1,137 @@ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require_relative "../resource" +require_relative "selinux/common_helpers" + +class Chef + class Resource + class SelinuxUser < Chef::Resource + unified_mode true + + provides :selinux_user + + description "Use the **selinux_user** resource to add, update, or remove SELinux users." + introduced "18.1" + examples <<~DOC + **Manage test_u SELinux user with a level and range of s0 and roles sysadm_r and staff_r**: + + ```ruby + selinux_user 'test_u' do + level 's0' + range 's0' + roles %w(sysadm_r staff_r) + end + ``` + DOC + + property :user, String, + name_property: true, + description: "An optional property to set the SELinux user value if it differs from the resource block's name." + + property :level, String, + description: "MLS/MCS security level for the SELinux user." + + property :range, String, + description: "MLS/MCS security range for the SELinux user." + + property :roles, Array, + description: "Associated SELinux roles for the user.", + coerce: proc { |r| Array(r).sort } + + load_current_value do |new_resource| + users = shell_out!("semanage user -l").stdout.split("\n") + + current_user = users.grep(/^#{Regexp.escape(new_resource.user)}\s+/) do |u| + u.match(/^(?<user>[^\s]+)\s+(?<prefix>[^\s]+)\s+(?<level>[^\s]+)\s+(?<range>[^\s]+)\s+(?<roles>.*)$/) + # match returns [<Match 'data'>] or [], shift converts that to <Match 'data'> or nil + end.shift + + current_value_does_not_exist! unless current_user + + # Existing resources should maintain their current configuration unless otherwise specified + new_resource.level ||= current_user[:level] + new_resource.range ||= current_user[:range] + new_resource.roles ||= current_user[:roles].to_s.split.sort + + level current_user[:level] + range current_user[:range] + roles current_user[:roles].to_s.split.sort + end + + action_class do + include Chef::SELinux::CommonHelpers + + def semanage_user_args + # Generate arguments for semanage user -a or -m + args = "" + + args += " -L #{new_resource.level}" if new_resource.level + args += " -r #{new_resource.range}" if new_resource.range + args += " -R '#{new_resource.roles.join(" ")}'" unless new_resource.roles.to_a.empty? + + args + end + end + + action :manage, description: "Sets the SELinux user to the desired settings regardless of previous state." do + run_action(:add) + run_action(:modify) + end + + # Create if doesn't exist, do not touch if user already exists + action :add, description: "Creates the SELinux user if not previously created." do + raise "The roles property must be populated to create a new SELinux user" if new_resource.roles.to_a.empty? + + if selinux_disabled? + Chef::Log.warn("Unable to add SELinux user #{new_resource.user} as SELinux is disabled") + return + end + + unless current_resource + converge_if_changed do + shell_out!("semanage user -a#{semanage_user_args} #{new_resource.user}") + end + end + end + + # Only modify port if it exists & doesn't have the correct context already + action :modify, description: "Updates the SELinux user if previously created." do + if selinux_disabled? + Chef::Log.warn("Unable to modify SELinux user #{new_resource.user} as SELinux is disabled") + return + end + + if current_resource + converge_if_changed do + shell_out!("semanage user -m#{semanage_user_args} #{new_resource.user}") + end + end + end + + # Delete if exists + action :delete, description: "Removes the SELinux user if previously created." do + if selinux_disabled? + Chef::Log.warn("Unable to delete SELinux user #{new_resource.user} as SELinux is disabled") + return + end + + if current_resource + converge_by "deleting SELinux user #{new_resource.user}" do + shell_out!("semanage user -d #{new_resource.user}") + end + end + end + end + end +end diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb index 0d310f8bea..ca8e5f28c3 100644 --- a/lib/chef/resources.rb +++ b/lib/chef/resources.rb @@ -127,10 +127,12 @@ require_relative "resource/script" require_relative "resource/selinux_boolean" require_relative "resource/selinux_fcontext" require_relative "resource/selinux_install" +require_relative "resource/selinux_login" require_relative "resource/selinux_module" require_relative "resource/selinux_permissive" require_relative "resource/selinux_port" require_relative "resource/selinux_state" +require_relative "resource/selinux_user" require_relative "resource/service" require_relative "resource/sudo" require_relative "resource/sysctl" diff --git a/lib/chef/version.rb b/lib/chef/version.rb index 4670020f8d..08bc3df8ae 100644 --- a/lib/chef/version.rb +++ b/lib/chef/version.rb @@ -23,7 +23,7 @@ require_relative "version_string" class Chef CHEF_ROOT = File.expand_path("..", __dir__) - VERSION = Chef::VersionString.new("18.1.29") + VERSION = Chef::VersionString.new("18.1.31") end # |