#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require_relative "../resource"
require_relative "selinux/common_helpers"
class Chef
class Resource
class SelinuxPort < Chef::Resource
unified_mode true
provides :selinux_port
description "Use **selinux_port** resource to allows assigning a network port to a certain SELinux context, e.g. for running a webserver on a non-standard port."
introduced "18.0"
examples <<~DOC
**Allow nginx/apache to bind to port 5678 by giving it the http_port_t context**:
```ruby
selinux_port '5678' do
protocol 'tcp'
secontext 'http_port_t'
end
```
DOC
property :port, [Integer, String],
name_property: true,
regex: /^\d+$/,
description: "Port to modify."
property :protocol, String,
equal_to: %w{tcp udp},
required: %i{manage add modify},
description: "Protocol to modify."
property :secontext, String,
required: %i{manage add modify},
description: "SELinux context to assign to the port."
action_class do
include Chef::SELinux::CommonHelpers
def current_port_context
# use awk to see if the given port is within a reported port range
shell_out!(
<<~CMD
seinfo --portcon=#{new_resource.port} | grep 'portcon #{new_resource.protocol}' | \
awk -F: '$(NF-1) !~ /reserved_port_t$/ && $(NF-3) !~ /[0-9]*-[0-9]*/ {print $(NF-1)}'
CMD
).stdout.split
end
end
action :manage, description: "Assign the port to the right context regardless of previous state." do
run_action(:add)
run_action(:modify)
end
action :addormodify, description: "Assigns the port context if not set. Updates the port context if previously set." do
Chef::Log.warn("The :addormodify action for selinux_port is deprecated and will be removed in a future release. Use the :manage action instead.")
run_action(:manage)
end
# Create if doesn't exist, do not touch if port is already registered (even under different type)
action :add, description: "Assign the port context if not set." do
if selinux_disabled?
Chef::Log.warn("Unable to add SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if current_port_context.empty?
converge_by "Adding context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -a -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Only modify port if it exists & doesn't have the correct context already
action :modify, description: "Update the port context if previously set." do
if selinux_disabled?
Chef::Log.warn("Unable to modify SELinux port #{new_resource.name} as SELinux is disabled")
return
end
if !current_port_context.empty? && !current_port_context.include?(new_resource.secontext)
converge_by "Modifying context #{new_resource.secontext} to port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -m -t '#{new_resource.secontext}' -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
# Delete if exists
action :delete, description: "Removes the port context if set." do
if selinux_disabled?
Chef::Log.warn("Unable to delete SELinux port #{new_resource.name} as SELinux is disabled")
return
end
unless current_port_context.empty?
converge_by "Deleting context from port #{new_resource.port}/#{new_resource.protocol}" do
shell_out!("semanage port -d -p #{new_resource.protocol} #{new_resource.port}")
end
end
end
end
end
end