Merge pull request #305 from yakara-ltd/selinux

Add SELinux support
sous-chefs · May 2, 2017 · 45a6f77 · 45a6f77
2 parents 518ed54 + f44c524
commit 45a6f77
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 41 deletions.
diff --git a/metadata.rb b/metadata.rb
@@ -35,3 +35,4 @@
 
 depends 'ulimit', '>= 0.1.2'
 depends 'build-essential'
+depends 'selinux_policy'
diff --git a/providers/configure.rb b/providers/configure.rb
@@ -18,6 +18,8 @@
 # limitations under the License.
 #
 
+include SELinuxPolicy::Helpers
+
 action :run do
   configure
   new_resource.updated_by_last_action(true)
@@ -95,6 +97,8 @@ def configure
                   end
 
     recipe_eval do
+      include_recipe 'selinux_policy::install' if use_selinux
+
       server_name = current['name'] || current['port']
       piddir = "#{base_piddir}/#{server_name}"
       aof_file = current['appendfilename'] || "#{current['datadir']}/appendonly-#{server_name}.aof"
@@ -125,6 +129,9 @@ def configure
         recursive true
         action :create
       end
+      selinux_policy_fcontext "#{current['configdir']}(/.*)?" do
+        secontext 'redis_conf_t'
+      end
       # Create the instance data directory
       directory current['datadir'] do
         owner current['user']
@@ -133,6 +140,9 @@ def configure
         recursive true
         action :create
       end
+      selinux_policy_fcontext "#{current['datadir']}(/.*)?" do
+        secontext 'redis_var_lib_t'
+      end
       # Create the pid file directory
       directory piddir do
         owner current['user']
@@ -141,6 +151,9 @@ def configure
         recursive true
         action :create
       end
+      selinux_policy_fcontext "#{piddir}(/.*)?" do
+        secontext 'redis_var_run_t'
+      end
       # Create the log directory if syslog is not being used
       if log_directory
         directory log_directory do
@@ -149,7 +162,9 @@ def configure
           mode '0755'
           recursive true
           action :create
-          only_if { log_directory }
+        end
+        selinux_policy_fcontext "#{log_directory}(/.*)?" do
+          secontext 'redis_log_t'
         end
       end
       # Create the log file if syslog is not being used

diff --git a/test/integration/default/serverspec/redisio_spec.rb b/test/integration/default/serverspec/redisio_spec.rb
@@ -1,23 +1,28 @@
 require 'spec_helper'
 
+prefix = os[:family] == 'freebsd' ? '/usr/local' : ''
+
 describe 'Redis' do
   it_behaves_like 'redis on port', 6379
 end
 
-if os[:family] == 'freebsd'
-  describe file('/usr/local/etc/redis/savetest.conf') do
-    it { should be_file }
+describe file("#{prefix}/etc/redis/savetest.conf") do
+  it { should be_file }
 
-    ['save a', 'save b', 'save c'].each do |m|
-      its(:content) { should match(m) }
-    end
+  ['save a', 'save b', 'save c'].each do |m|
+    its(:content) { should match(m) }
   end
-else
-  describe file('/etc/redis/savetest.conf') do
-    it { should be_file }
+end
 
-    ['save a', 'save b', 'save c'].each do |m|
-      its(:content) { should match(m) }
+if system('command -v semanage &>/dev/null')
+  describe command('semanage fcontext --list --noheading | grep -F redis') do
+    [
+      %r{^/etc/redis\(/\.\*\)\?\s.*:redis_conf_t:},
+      %r{^/var/lib/redis\(/\.\*\)\?\s.*:redis_var_lib_t:},
+      %r{^/var/run/redis\(/\.\*\)\?\s.*:redis_var_run_t:},
+      %r{^/var/log/redis\(/\.\*\)\?\s.*:redis_log_t:}
+    ].each do |pattern|
+      its(:stdout) { should match(pattern) }
     end
   end
 end
diff --git a/test/integration/multisentinel/serverspec/multiple_sentinels_spec.rb b/test/integration/multisentinel/serverspec/multiple_sentinels_spec.rb
@@ -1,38 +1,23 @@
 require 'spec_helper'
 
+prefix = os[:family] == 'freebsd' ? '/usr/local' : ''
+
 describe 'Redis-Sentinel' do
   it_behaves_like 'sentinel on port', 26379, 'cluster'
 end
 
-if os[:family] == 'freebsd'
-  describe file('/usr/local/etc/redis/sentinel_cluster.conf') do
-    [
-      %r{sentinel monitor master6379 127.0.0.1 6379 2},
-      %r{sentinel down-after-milliseconds master6379 30000},
-      %r{sentinel parallel-syncs master6379 1},
-      %r{sentinel failover-timeout master6379 900000},
-      %r{sentinel monitor master6380 127.0.0.1 6380 2},
-      %r{sentinel down-after-milliseconds master6380 30000},
-      %r{sentinel parallel-syncs master6380 1},
-      %r{sentinel failover-timeout master6380 900000}
-    ].each do |pattern|
-      its(:content) { should match(pattern) }
-    end
-  end
-else
-  describe file('/etc/redis/sentinel_cluster.conf') do
-    [
-      %r{sentinel monitor master6379 127.0.0.1 6379 2},
-      %r{sentinel down-after-milliseconds master6379 30000},
-      %r{sentinel parallel-syncs master6379 1},
-      %r{sentinel failover-timeout master6379 900000},
-      %r{sentinel monitor master6380 127.0.0.1 6380 2},
-      %r{sentinel down-after-milliseconds master6380 30000},
-      %r{sentinel parallel-syncs master6380 1},
-      %r{sentinel failover-timeout master6380 900000}
-    ].each do |pattern|
-      its(:content) { should match(pattern) }
-    end
+describe file("#{prefix}/etc/redis/sentinel_cluster.conf") do
+  [
+    %r{sentinel monitor master6379 127.0.0.1 6379 2},
+    %r{sentinel down-after-milliseconds master6379 30000},
+    %r{sentinel parallel-syncs master6379 1},
+    %r{sentinel failover-timeout master6379 900000},
+    %r{sentinel monitor master6380 127.0.0.1 6380 2},
+    %r{sentinel down-after-milliseconds master6380 30000},
+    %r{sentinel parallel-syncs master6380 1},
+    %r{sentinel failover-timeout master6380 900000}
+  ].each do |pattern|
+    its(:content) { should match(pattern) }
   end
 end