moving selinux stuff to rs-mysql (#63)

* moving selinux stuff to rs-mysql * adding notes * removing comments * converting to mixlib FC048 * applying to the whole rhel family * updating rakefile and changelog * Update Rakefile * converting system to sh * pinning windows * locking down windows cookbook for chefspec 3.4.0 and updating rakefile to check master * updating changelog
rightscale-cookbooks · Dec 2, 2016 · 5cfe5fe · 5cfe5fe
1 parent 5aab9a2
commit 5cfe5fe
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,15 @@ rs-mysql Cookbook CHANGELOG
 
 This file is used to list changes made in each version of the rs-mysql cookbook.
 
+v1.2.6
+------
+- fixing selinux permission error when moving directories on centos.
+- updating rake task to check for changelog, and metadata version
+
+v1.2.5
+------
+- Pinning cookbooks and gems for ruby and chef compatibility
+
 v1.2.4
 ------
 

diff --git a/Rakefile b/Rakefile
@@ -14,21 +14,65 @@ task :setup_test_environment do
       cookbook_path            ['.', 'berks-cookbooks/' ]
     EOF
   end
-  system('berks vendor')
+  sh('berks vendor')
+end
+
+desc "verifies version and changelog"
+task :verify_version do
+  def get_old_version
+    f=`git show master:metadata.rb`
+    f.each_line do |line|
+      if line.match(/version/)
+        k,v=line.strip.split
+        @old_version=v
+      end
+    end
+    return @old_version
+  end
+
+  def get_new_version
+    f=File.read('metadata.rb')
+    f.each_line do |line|
+      if line.match(/version/)
+        k,v=line.strip.split
+        @new_version = v
+      end
+    end
+    return @new_version
+  end
+
+  if `git rev-parse --abbrev-ref HEAD`.strip != 'master'
+    puts "Verifying Metdata Version"
+    if get_old_version == get_new_version
+      raise "You need to increment version before test will pass"
+    end
+
+    puts "Verifying Changelog"
+    counter=0
+    f=File.read('CHANGELOG.md')
+    f.each_line do |line|
+      if line.match get_new_version.tr('\'','')
+        counter+=1
+      end
+    end
+    if counter == 0
+      raise "CHANGELOG update needed"
+    end
+  end
 end
 
 desc "runs knife cookbook test"
 task :knife => [ :setup_test_environment ] do
   cmd = "bundle exec knife cookbook test #{cookbook} -c knife.rb"
   puts cmd
-  system(cmd)
+  sh(cmd)
 end
 
 desc "runs foodcritic"
 task :foodcritic do
   cmd = "bundle exec foodcritic --epic-fail any --tags ~FC009 --tags ~FC064 --tags ~FC065 #{directory}"
   puts cmd
-  system(cmd)
+  sh(cmd)
 end
 
 desc "runs foodcritic linttask"
@@ -44,18 +88,18 @@ desc "runs rspec"
 task :rspec do
   cmd = "bundle exec rspec --color --format documentation"
   puts cmd
-  system(cmd)
+  sh(cmd)
 end
 
 desc "runs testkitchen"
 task :kitchen do
   cmd = "chef exec kitchen test --concurrency=2"
   puts cmd
-  system(cmd)
+  sh(cmd)
 end
 
 desc "runs all tests except kitchen"
-task :except_kitchen => [ :knife, :foodcritic, :rspec ] do
+task :except_kitchen => [ :verify_version, :knife, :foodcritic, :rspec ] do
   puts "running all tests except kitchen"
 end
 

diff --git a/files/default/rhel-mysql.te b/files/default/rhel-mysql.te
@@ -0,0 +1,37 @@
+module rhel-mysql 1.0;
+
+require {
+        type mysqld_safe_t;
+        type postfix_pickup_t;
+        type groupadd_t;
+        type mysqld_t;
+        type file_t;
+        type var_lib_t;
+        class lnk_file { read getattr };
+        class dir { create read  write open getattr search remove_name add_name rmdir };
+        class file { create read  write open getattr unlink lock rename };
+        class sock_file { create read write open getattr link unlink };
+}
+
+#============= groupadd_t ==============
+
+allow groupadd_t var_lib_t:file read;
+
+#============= mysqld_safe_t ==============
+
+allow mysqld_safe_t var_lib_t:lnk_file { read getattr };
+
+#============= mysqld_t ==============
+#!!!! The source type 'mysqld_t' can write to a 'dir' of the following types:
+# mysqld_log_t, mysqld_tmp_t, var_log_t, var_lib_t, var_run_t, mysqld_var_run_t, pcscd_var_run_t, mysqld_db_t, tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t, krb5_host_rcache_t, tmp_t
+
+allow mysqld_t var_lib_t:file { read getattr open };
+allow mysqld_t var_lib_t:lnk_file read;
+
+allow mysqld_t file_t:dir { create getattr search read remove_name add_name write open rmdir };
+allow mysqld_t file_t:file { create read getattr open write unlink lock rename };
+allow mysqld_t file_t:sock_file { create read write open getattr link unlink};
+
+#============= postfix_pickup_t ==============
+
+allow postfix_pickup_t var_lib_t:file { read open };
diff --git a/metadata.rb b/metadata.rb
@@ -4,7 +4,7 @@
 license          'Apache 2.0'
 description      'Installs and configures a MySQL server'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '1.2.5'
+version          '1.2.6'
 
 depends 'chef_handler', '~> 1.1.6'
 depends 'marker', '~> 1.0.1'
@@ -23,6 +23,7 @@
 depends 'dmg', '~> 2.4.0'
 depends 'build-essential', '~> 1.4' # pinned for compatiblity with mysql
 depends 'postgresql', '= 3.4.16'
+depends 'windows', '= 1.44.0'
 
 recipe 'rs-mysql::default', 'Sets up a standalone MySQL server'
 recipe 'rs-mysql::collectd', 'Sets up collectd monitoring for MySQL server'

diff --git a/recipes/default.rb b/recipes/default.rb
@@ -16,6 +16,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+require 'mixlib/shellout'
 
 marker 'recipe_start_rightscale' do
   template 'rightscale_audit_entry.erb'
@@ -44,7 +45,38 @@
         end
       end
     end
+  end
+end
+
+if node['platform_family'] == 'rhel'
+  #verify getenforce exists on the install
+  if ::File.exist?('/usr/sbin/getenforce')
+    #if selinux is set to enforcing instead of permissive, update mysqld access
+    if Mixlib::ShellOut.new("/usr/sbin/getenforce").run_command.stdout.strip.downcase == 'enforcing'
+      cookbook_file ::File.join(Chef::Config[:file_cache_path], 'rhel-mysql.te') do
+        source 'rhel-mysql.te'
+        owner 'root'
+        group 'root'
+        mode '0644'
+        action :create
+      end
+
+      execute 'mysql:compile selinux te to module' do
+        command "checkmodule -M -m -o #{::File.join(Chef::Config[:file_cache_path],'rhel-mysql.mod')} #{::File.join(Chef::Config[:file_cache_path], 'rhel-mysql.te')}"
+        action :run
+      end
+
+      execute 'mysql:package selinux module' do
+        command "semodule_package -m #{::File.join(Chef::Config[:file_cache_path],'rhel-mysql.mod')} -o #{::File.join(Chef::Config[:file_cache_path], 'rhel-mysql.pp')}"
+        action :run
+      end
 
+      execute 'fix selinux' do
+        command "semodule -i #{::File.join(Chef::Config[:file_cache_path], 'rhel-mysql.pp')}"
+        action :run
+      end
+      node.default['mysql']['tunable']['log-error'] = '/var/log/mysql/error.log'
+    end
   end
 end