Library cookbook refactor (sous-chefs#74)

* Library refactoring

1. Restore support for Debian based distros.
2. Correct chef workstation package name in Travis config.
3. Linting fixes.
4. Add CentOS 8 testing.
5. Add Debian 10 testing.
6. Set all resources unified_mode
7. Create selinux_boolean resource
8. Remove attributes and recipes
9. Refactor install resource
10. Refactor selinux_state resource
11. Add description to resource properties

* Split kitchen tests into state groups
* Refactor module resource and libraries

Refactor libraries and resource to remove complexity due to SELinux
CIL which removes module version numbers and thus the need to check
them.

* Add content support to module resource
* Don't attempt to set illegal selinux states
* Add some basic recipes
* Add platforms to new testing config
* Add automatic restart function to state resource
* Set correct policy on Debian platforms
* Increase kitchen reboot wait time and set root_path for Debian
* Skip boolean action if disabled
* Debian requires a module loading to allow module loading
  Yes, you read that correctly ;)
* Add additional modules actions and add filepath helper method
* Ubuntu kitchen required selinux modules and disable 18.04 enforcing CI

.github/workflows/ci.yml

@@ -42,10 +42,18 @@ jobs:
         os:
           - centos-7
           - centos-8
-          # TODO: reenable once https://github.com/chef/bento/issues/1333 is fixed
-          # - fedora-latest
+          - centos-stream-8
+          # - fedora-latest # TODO: reenable once https://github.com/chef/bento/issues/1333 is fixed
+          - debian-10
+          - ubuntu-1804
+          - ubuntu-2004
         suite:
-          - default
+          - enforcing
+          - permissive
+          - disabled
+        exclude:
+          - os: ubuntu-1804
+            suite: enforcing
       fail-fast: false
 
     steps:

Berksfile

@@ -3,7 +3,5 @@ source 'https://supermarket.chef.io'
 metadata
 
 group :unit do
-  cookbook 'selinux_state_test', path: 'test/fixtures/cookbooks/selinux_state_test'
-  cookbook 'selinux_module_test', path: 'test/fixtures/cookbooks/selinux_module_test'
-  cookbook 'selinux_install_test', path: 'test/fixtures/cookbooks/selinux_install_test'
+  cookbook 'selinux_test', path: 'test/cookbooks/selinux_test'
 end

CHANGELOG.md

@@ -4,6 +4,16 @@ This file is used to list changes made in each version of the selinux cookbook.
 
 ## Unreleased
 
+### Note: With version 5.0.0 the default recipe has been removed
+
+- Major refactoring
+- Restore support for Debian based distros
+- All resources now use unified_mode
+- Added selinux_boolean resource
+- Remove attributes and default recipe
+  - Replaced with a set of bare recipes for the three selinux states
+- Add automatic restart function to `selinux_state` resource
+
 ## 4.0.0 - *2021-07-21*
 
 - Sous Chefs adoption

README.md

@@ -31,167 +31,22 @@ Disable SELinux only if you plan to not use it. Use `Permissive` mode if you jus
 
 - Chef 15.3 or higher
 
-## Platform:
+## Platform
 
 - RHEL 7+
+- CentOS 7+
+- Fedora
+- Ubuntu
+- Debian
 
-## Attributes
+## Resources
 
-- `node['selinux']['state']` - The SELinux policy enforcement state. The state to set by default, to match the default SELinux state on RHEL. Can be "enforcing", "permissive", "disabled"
-- `node['selinux']['booleans']` - A hash of SELinux boolean names and the values they should be set to. Values can be off, false, or 0 to disable; or on, true, or 1 to enable.
-- `node['selinux']['install_mcstrans_package']` - Install mcstrans package, Default is `true`. If don't want to install mcstrans package, sets as a `false`
+The following resources are provided:
 
-## Resources Overview
-
-### selinux_state
-
-The `selinux_state` resource is used to manage the SELinux state on the system. It does this by using the `setenforce` command and rendering the `/etc/selinux/config` file from a template.
-
-### selinux_module
-
-This provider is intended to be part of the SELinux analysis workflow using tools like `audit2allow`.
-
-#### Actions
-
-- `:create`: install the module;
-- `:remove`: remove the module;
-
-#### Options
-
-- `source`: SELinux `.te` file, to be parsed, compiled and deployed as module. If simple basename informed, the provider will first look into `files/default/selinux` directory;
-- `base_dir`: Base directory to create and manage SELinux files, by default is `/etc/selinux/local`;
-- `force`: Boolean. Indicates if provider should re-install the same version of SELinux module already installed, in case the source `.te` file changes;
-
-### selinux_state
-
-The `selinux_state` resource is used to manage the SELinux state on the system. It does this by using the `setenforce` command and rendering the `/etc/selinux/config` file from a template.
-
-#### Actions
-
-- `:nothing`: default action, does nothing
-- `:enforcing`: Sets SELinux to enforcing.
-- `:disabled`: Sets SELinux to disabled.
-- `:permissive`: Sets SELinux to permissive.
-
-#### Properties
-
-- `temporary` - true, false, default false. Allows the temporary change between permissive and enabled states which don't require a reboot.
-- `selinuxtype` - targeted, mls, default targeted. Determines the policy that will be configured in the `/etc/selinux/config` file. The default value is `targeted` which enables selinux in a mode where only selected processes are protected. `mls` is multilevel security which enables selinux in a mode where all processes are protected.
-
-### Examples
-
-#### Managing SELinux State (`selinux_state`)
-
-Simply set SELinux to enforcing or permissive:
-
-```ruby
-selinux_state "SELinux Enforcing" do
-  action :enforcing
-end
-
-selinux_state "SELinux Permissive" do
-  action :permissive
-end
-```
-
-The action here is based on the value of the `node['selinux']['state']` attribute, which we convert to lower-case and make a symbol to pass to the action.
-
-```ruby
-selinux_state "SELinux #{node['selinux']['state'].capitalize}" do
-  action node['selinux']['state'].downcase.to_sym
-end
-```
-
-The action here is based on the value of the `node['selinux']['status']` attribute, which we convert to lower-case and make a symbol to pass to the action.
-
-```ruby
-selinux_state "SELinux #{node['selinux']['status'].capitalize}" do
-  action node['selinux']['status'].downcase.to_sym
-end
-```
-
-#### Managing SELinux Modules (`selinux_module`)
-
-Consider the following steps to obtain a `.te` file, the rule description format employed on SELinux
-
-1. Add `selinux` to your `metadata.rb`, as for instance: `depends 'selinux', '>= 0.10.0'`;
-2. Run your SELinux workflow, and add `.te` files on your cookbook files, preferably under `files/default/selinux` directory;
-3. Write recipes using `selinux_module` provider;
-
-#### SELinux `audit2allow` Workflow
-
-This provider was written with the intention of matching the workflow of `audit2allow` (provided by package `policycoreutils`), which basically will be:
-
-1. Test application and inspect `/var/log/audit/audit.log` log-file with a command like this basic example: `grep AVC /var/log/audit/audit.log |audit2allow -M my_application`;
-2. Save `my_application.te` SELinux module source, copy into your cookbook under `files/default/selinux/my_application.te`;
-3. Make use of `selinux` provider on a recipe, after adding it as a dependency;
-
-For example, add the following on the recipe level:
-
-```ruby
-selinux_module 'MyApplication SELinux Module' do
-  source 'my_application.te'
-  action :create
-end
-```
-
-Module name is defined on `my_application.te` file contents, please note this input, is used during `:remove` action. For instance:
-
-```ruby
-selinux_module 'my_application' do
-  action :remove
-end
-```
-
-### selinux_install
-
-The `selinux_install` resource is used to encapsulate the set of selinux packages to install in order to manage selinux. It also ensures the directory `/etc/selinux` is created.
-
-## Recipes
-
-All recipes will deprecate in the near future as they are just using the `selinux_state` resource.
-
-### default
-
-The default recipe will use the attribute `node['selinux']['status']` in the `selinux_state` resource's action. By default, this will be `:enforcing`.
-
-### enforcing
-
-This recipe will use `:enforcing` as the `selinux_state` action.
-
-### permissive
-
-This recipe will use `:permissive` as the `selinux_state` action.
-
-### disabled
-
-This recipe will use `:disabled` as the `selinux_state` action.
-
-## Usage
-
-By default, this cookbook will have SELinux enforcing by default, as the default recipe uses the `node['selinux']['status']` attribute, which is "enforcing." This is in line with the policy of enforcing by default on RHEL family distributions.
-
-You can simply set the attribute in a role applied to the node:
-
-```ruby
-name "base"
-description "Base role applied to all nodes."
-default_attributes(
-  "selinux" => {
-    "status" => "permissive"
-  }
-)
-```
-
-Or, you can apply the recipe to the run list (e.g., in a role):
-
-```ruby
-name "base"
-description "Base role applied to all nodes."
-run_list(
-  "recipe[selinux::permissive]",
-)
-```
+- [selinux_boolean](documentation/selinux_boolean.md)
+- [selinux_install](documentation/selinux_install.md)
+- [selinux_module](documentation/selinux_module.md)
+- [selinux_state](documentation/selinux_state.md)
 
 ## Maintainers
 

documentation/selinux_boolean.md

@@ -0,0 +1,46 @@
+[Back to resource list](../README.md#resources)
+
+# selinux_boolean
+
+Set SELinux boolean values.
+
+Introduced: v4.0.0
+
+## Actions
+
+- `:set`
+
+## Properties
+
+| Name         | Type                         | Default | Description                                     | Allowed Values |
+| ------------ | ---------------------------- | ------- | ----------------------------------------------- | -------------- |
+| `boolean`    | String                       |         | SELinux boolean to set                          |                |
+| `value`      | Integer, String, true, false |         | SELinux boolean value                           | `on`, `off`    |
+| `persistent` | true, false                  | true    | Set to true for value setting to survive reboot |                |
+
+## Examples
+
+```ruby
+selinux_boolean 'ssh_keysign' do
+  value true
+end
+
+```
+
+```ruby
+selinux_boolean 'staff_exec_content' do
+  value false
+end
+```
+
+```ruby
+selinux_boolean 'ssh_sysadm_login' do
+  value 'on'
+end
+```
+
+```ruby
+selinux_boolean 'squid_connect_any' do
+  value 'off'
+end
+```

documentation/selinux_install.md

@@ -0,0 +1,46 @@
+[Back to resource list](../README.md#resources)
+
+# selinux_install
+
+The `selinux_install` resource is used to encapsulate the set of selinux packages to install in order to manage selinux. It also ensures the directory `/etc/selinux` is created.
+
+Introduced: v4.0.0
+
+## Actions
+
+- `:install`
+- `:upgrade`
+- `:remove`
+
+## Properties
+
+| Name       | Type          | Default                    | Description                 |
+| ---------- | ------------- | -------------------------- | --------------------------- |
+| `packages` | String, Array | `default_install_packages` | SELinux packages for system |
+
+## Examples
+
+### Default installation
+
+```ruby
+selinux_install '' do
+  action :install
+end
+```
+
+### Install with excluded packages
+
+```ruby
+selinux_install '' do
+  packages_exclude %w(policycoreutils selinux-policy selinux-policy-targeted )
+  action :install
+end
+```
+
+### Uninstall
+
+```ruby
+selinux_install '' do
+  action :remove
+end
+```