From 5cfe5fe98cdc648b591c032898f3cf71a93532b9 Mon Sep 17 00:00:00 2001 From: Richard Shade Date: Fri, 2 Dec 2016 16:53:03 -0600 Subject: [PATCH] moving selinux stuff to rs-mysql (#63) * moving selinux stuff to rs-mysql * adding notes * removing comments * converting to mixlib FC048 * applying to the whole rhel family * updating rakefile and changelog * Update Rakefile * converting system to sh * pinning windows * locking down windows cookbook for chefspec 3.4.0 and updating rakefile to check master * updating changelog --- CHANGELOG.md | 9 ++++++ Rakefile | 56 +++++++++++++++++++++++++++++++++---- files/default/rhel-mysql.te | 37 ++++++++++++++++++++++++ metadata.rb | 3 +- recipes/default.rb | 32 +++++++++++++++++++++ 5 files changed, 130 insertions(+), 7 deletions(-) create mode 100644 files/default/rhel-mysql.te diff --git a/CHANGELOG.md b/CHANGELOG.md index f5724fa..d91e37f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,15 @@ rs-mysql Cookbook CHANGELOG This file is used to list changes made in each version of the rs-mysql cookbook. +v1.2.6 +------ +- fixing selinux permission error when moving directories on centos. +- updating rake task to check for changelog, and metadata version + +v1.2.5 +------ +- Pinning cookbooks and gems for ruby and chef compatibility + v1.2.4 ------ diff --git a/Rakefile b/Rakefile index 2777a46..ea3cf99 100644 --- a/Rakefile +++ b/Rakefile @@ -14,21 +14,65 @@ task :setup_test_environment do cookbook_path ['.', 'berks-cookbooks/' ] EOF end - system('berks vendor') + sh('berks vendor') +end + +desc "verifies version and changelog" +task :verify_version do + def get_old_version + f=`git show master:metadata.rb` + f.each_line do |line| + if line.match(/version/) + k,v=line.strip.split + @old_version=v + end + end + return @old_version + end + + def get_new_version + f=File.read('metadata.rb') + f.each_line do |line| + if line.match(/version/) + k,v=line.strip.split + @new_version = v + end + end + return @new_version + end + + if `git rev-parse --abbrev-ref HEAD`.strip != 'master' + puts "Verifying Metdata Version" + if get_old_version == get_new_version + raise "You need to increment version before test will pass" + end + + puts "Verifying Changelog" + counter=0 + f=File.read('CHANGELOG.md') + f.each_line do |line| + if line.match get_new_version.tr('\'','') + counter+=1 + end + end + if counter == 0 + raise "CHANGELOG update needed" + end + end end desc "runs knife cookbook test" task :knife => [ :setup_test_environment ] do cmd = "bundle exec knife cookbook test #{cookbook} -c knife.rb" puts cmd - system(cmd) + sh(cmd) end desc "runs foodcritic" task :foodcritic do cmd = "bundle exec foodcritic --epic-fail any --tags ~FC009 --tags ~FC064 --tags ~FC065 #{directory}" puts cmd - system(cmd) + sh(cmd) end desc "runs foodcritic linttask" @@ -44,18 +88,18 @@ desc "runs rspec" task :rspec do cmd = "bundle exec rspec --color --format documentation" puts cmd - system(cmd) + sh(cmd) end desc "runs testkitchen" task :kitchen do cmd = "chef exec kitchen test --concurrency=2" puts cmd - system(cmd) + sh(cmd) end desc "runs all tests except kitchen" -task :except_kitchen => [ :knife, :foodcritic, :rspec ] do +task :except_kitchen => [ :verify_version, :knife, :foodcritic, :rspec ] do puts "running all tests except kitchen" end diff --git a/files/default/rhel-mysql.te b/files/default/rhel-mysql.te new file mode 100644 index 0000000..41b1777 --- /dev/null +++ b/files/default/rhel-mysql.te @@ -0,0 +1,37 @@ +module rhel-mysql 1.0; + +require { + type mysqld_safe_t; + type postfix_pickup_t; + type groupadd_t; + type mysqld_t; + type file_t; + type var_lib_t; + class lnk_file { read getattr }; + class dir { create read write open getattr search remove_name add_name rmdir }; + class file { create read write open getattr unlink lock rename }; + class sock_file { create read write open getattr link unlink }; +} + +#============= groupadd_t ============== + +allow groupadd_t var_lib_t:file read; + +#============= mysqld_safe_t ============== + +allow mysqld_safe_t var_lib_t:lnk_file { read getattr }; + +#============= mysqld_t ============== +#!!!! The source type 'mysqld_t' can write to a 'dir' of the following types: +# mysqld_log_t, mysqld_tmp_t, var_log_t, var_lib_t, var_run_t, mysqld_var_run_t, pcscd_var_run_t, mysqld_db_t, tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t, krb5_host_rcache_t, tmp_t + +allow mysqld_t var_lib_t:file { read getattr open }; +allow mysqld_t var_lib_t:lnk_file read; + +allow mysqld_t file_t:dir { create getattr search read remove_name add_name write open rmdir }; +allow mysqld_t file_t:file { create read getattr open write unlink lock rename }; +allow mysqld_t file_t:sock_file { create read write open getattr link unlink}; + +#============= postfix_pickup_t ============== + +allow postfix_pickup_t var_lib_t:file { read open }; diff --git a/metadata.rb b/metadata.rb index 48a12ce..b1c1075 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Installs and configures a MySQL server' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '1.2.5' +version '1.2.6' depends 'chef_handler', '~> 1.1.6' depends 'marker', '~> 1.0.1' @@ -23,6 +23,7 @@ depends 'dmg', '~> 2.4.0' depends 'build-essential', '~> 1.4' # pinned for compatiblity with mysql depends 'postgresql', '= 3.4.16' +depends 'windows', '= 1.44.0' recipe 'rs-mysql::default', 'Sets up a standalone MySQL server' recipe 'rs-mysql::collectd', 'Sets up collectd monitoring for MySQL server' diff --git a/recipes/default.rb b/recipes/default.rb index 98323a5..6eba558 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -16,6 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # +require 'mixlib/shellout' marker 'recipe_start_rightscale' do template 'rightscale_audit_entry.erb' @@ -44,7 +45,38 @@ end end end + end +end + +if node['platform_family'] == 'rhel' + #verify getenforce exists on the install + if ::File.exist?('/usr/sbin/getenforce') + #if selinux is set to enforcing instead of permissive, update mysqld access + if Mixlib::ShellOut.new("/usr/sbin/getenforce").run_command.stdout.strip.downcase == 'enforcing' + cookbook_file ::File.join(Chef::Config[:file_cache_path], 'rhel-mysql.te') do + source 'rhel-mysql.te' + owner 'root' + group 'root' + mode '0644' + action :create + end + + execute 'mysql:compile selinux te to module' do + command "checkmodule -M -m -o #{::File.join(Chef::Config[:file_cache_path],'rhel-mysql.mod')} #{::File.join(Chef::Config[:file_cache_path], 'rhel-mysql.te')}" + action :run + end + + execute 'mysql:package selinux module' do + command "semodule_package -m #{::File.join(Chef::Config[:file_cache_path],'rhel-mysql.mod')} -o #{::File.join(Chef::Config[:file_cache_path], 'rhel-mysql.pp')}" + action :run + end + execute 'fix selinux' do + command "semodule -i #{::File.join(Chef::Config[:file_cache_path], 'rhel-mysql.pp')}" + action :run + end + node.default['mysql']['tunable']['log-error'] = '/var/log/mysql/error.log' + end end end