Rules

The Rules plugin resolves the following Abstract Configuration Entities:

• Service
• Package
• Path
• Action
• All SELinux entries
• POSIXUser
• POSIXGroup

to literal configuration entries suitable for the client drivers to consume.

For an entity specification to be included in the Literal configuration the name attribute from an abstract entity tag (from Bundler) must match the name attribute of an entity tag in Rules, along with the appropriate group associations of course.

Each file in the Rules directory has a priority. This allows the same Entities to be served by multiple files. The priorities can be used to break ties in the case that multiple files serve data for the same entity.

Tag Attributes in Rules

Running bcfg2-lint will check your configuration specification for the presence of any mandatory attributes that are necessary for the entry specified.

Rules Tag

Package Tag

Action Tag

See also Actions.

Service Tag

Service mode specification

New in version 1.3.0.

In the 1.3.0 release, the “mode” attribute has been replaced by a pair of attributes, restart and install, which control how a service is handled more granularly than the old “mode” attribute. The old “mode” attribute values are equivalent as follows:

Mode attribute	Equivalent
mode="default"	restart="true" install="true"
mode="interactive_only"	restart="interactive" install="true"
mode="supervised"	restart="true" install="true"
mode="manual"	restart="false" install="false"

The default is restart="true" install="true"

Previously, “supervised” could be used to start a service during the verification phase; this is no longer supported. Services that have been stopped on a client will be started during the install phase.

Path Tag

The Path tag has different values depending on the type attribute of the path specified in your configuration. Below is a set of tables which describe the attributes available for various Path types.

Note that secontext below expects a full context, not just the type. For instance, “system_u:object_r:etc_t:s0”, not just etc_t. You can also specify “__default__”, which will restore the context of the file to the default set by policy. If a file has no default context rule, and you don’t wish to set one, you can specify secontext='' (i.e., an empty secontext), in which case the client will not try to manage the SELinux context of the file at all.

See SELinux for more information.

Attributes common to all Path tags:

augeas

Run Augeas commands. See Augeas for more details.

device

Manage devices.

directory

Entry represents a directory. prune can be set to remove all contents from the directory that are not explicitly specified in Bcfg2.

file

Distribute an file with content explicitly specified in-line (i.e., as opposed to using Cfg for this file). If the file has no content, empty must be set to true.

hardlink

Manage a hard link.

ignore

ignore lets you flag files that are distributed by system software packages, but have been modified locally, to be ignored by package verification routines. This is useful for, e.g., a package that installs an initial version of a file and then modifies it automatically.

nonexistent

Remove the specified file or directory. If recursive is set, remove the directory recursively (i.e., rm -rf).

permissions

Merely set permissions on the specified path, which is presumed to already exist.

symlink

Manage symlinks.

vcs

Check out the specified VCS repository to the given path. See VCS Client Tool for more details.

ACLs

New in version 1.3.0.

ACLs on a Path entry are specified not by attributes on the tag but by child <ACL> tags. For instance:

<Path name="/etc/foo" type="directory" owner="root" group="root"
      mode="0775">
  <ACL type="default" scope="user" user="foouser" perms="rw"/>
  <ACL type="default" scope="group" group="users" perms="rx"/>
  <ACL type="default" scope="other" perms="r"/>
</Path>

It is not currently possible to manually set an effective rights mask; the mask will be automatically calculated from the given ACLs when they are applied.

For directories either no default ACL entries or at least an entry for the owner, owning group and other must be defined.

Note that it is possible to set ACLs that demand different permissions on a file than those specified in the perms attribute on the Path tag. For instance:

<Path name="/etc/foo" mode="0644" group="root" owner="root">
  <ACL type="access" scope="user" user="foouser" perms="rwx"/>
</Path>

In this case, we’ve specified permissions of 0644, but the effective rights mask will be “rwx,” so setting the ACL will change the permissions to 0674. When this happens, Bcfg2 will change the permissions and set the ACLs on every run and the entry will be eternally marked as bad.

SELinux Entries

New in version 1.3.0.

Note

In order to use these entries, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

Below is a set of tables which describe the attributes available for various SELinux types. The entry types (except for module) correspond to semanage subcommands.

Note that the selinuxtype attribute takes only an SELinux type, not a full context; e.g., “etc_t”, not “system_u:object_r:etc_t:s0”.

As it can be very tedious to create a baseline of all existing SELinux entries, you can use selinux_baseline.py located in the tools/ directory to do that for you.

See SELinux for more information.

SEBoolean Tag

SEPort Tag

SEFcontext Tag

SENode Tag

SELogin Tag

SEUser Tag

SEInterface Tag

SEPermissive Tag

SEModule Tag

See also SEModules.

POSIXUser Tag

New in version 1.3.0.

Note

In order to use this, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

For example:

<POSIXUser name="daemon" home="/sbin" shell="/sbin/nologin"
           gecos="daemon" uid="2" group="daemon">
  <MemberOf group="lp"/>
  <MemberOf group="adm"/>
  <MemberOf group="bin/>
</POSIXUser>

The group specified will automatically be created if it does not exist, even if there is no POSIXGroup tag for it. If you need to specify a particular GID for the group, you must specify that in a POSIXGroup tag.

If you with to change the default shell, you can do so with the Defaults plugin.

See POSIXUsers for more information on managing users and groups.

POSIXGroup Tag

New in version 1.3.0.

Note

In order to use this, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

See POSIXUsers for more information on managing users and groups.

Rules Directory

The Rules/ directory keeps the XML files that define what rules are available for a host. All the files in the directory are processed.

The names of the XML files have no special meaning to Bcfg2; they are simply named so it’s easy for the administrator to know what the contents hold. All Rules could be kept in a single file if so desired. Bcfg2 simply uses the Groups in the files and priorities to determine how to assign Rules to a host’s literal configuration.

<Rules priority="0">
    <Path type='directory' group="root" name="/autonfs" owner="root" mode="0755"/>
    <Path type='directory' group="utmp" name="/var/run/screen" owner="root" mode="0775"/>
    <Path type='directory' group="root" name="/autonfs/stage" owner="root" mode="0755"/>
    <Path type='directory' group="root" name="/exports" owner="root" mode="0755"/>
    <Path type='directory' name="/etc/condor" owner="root" group="root" mode="0755"/>
    <Path type='directory' name="/logs" group="wwwtrans" owner="root" mode="0775"/>
    <Path type='directory' name="/mnt" group="root" owner="root" mode="0755"/>
    <Path type='directory' name="/my" owner="root" group="root" mode="0755"/>
    <Path type='directory' name="/my/bin" owner="root" group="root" mode="0755"/>
    <Path type='directory' name="/nfs" owner="root" group="root" mode="0755"/>
    <Path type='directory' name="/sandbox" mode="0777" owner="root" group="root"/>
    <Path type='directory' name="/software" group="root" owner="root" mode="0755"/>
    <Path type='permissions' mode="0555" group="audio" owner="root" name="/dev/dsp"/>
    <Path type='permissions' mode="0555" group="audio" owner="root" name="/dev/mixer"/>
    <Path type='symlink' name="/bin/whatami" to="/mcs/adm/bin/whatami"/>
    <Path type='symlink' name="/chibahomes" to="/nfs/chiba-homefarm"/>
    <Path type='symlink' name="/home" to="/nfs/mcs-homefarm"/>
    <Path type='symlink' name="/homes" to="/home"/>
    <Path type='symlink' name="/mcs" to="/nfs/mcs"/>
    <Path type='symlink' name="/my/bin/bash" to="/bin/bash"/>
    <Path type='symlink' name="/my/bin/tcsh" to="/bin/tcsh"/>
    <Path type='symlink' name="/my/bin/zsh" to="/bin/zsh"/>
    <Path type='symlink' name="/software/common" to="/nfs/software-common"/>
    <Path type='symlink' name="/software/linux" to="/nfs/software-linux"/>
    <Path type='symlink' name="/software/linux-debian_sarge" to="/nfs/linux-debian_sarge"/>
    <Path type='symlink' name="/usr/bin/passwd" to="/usr/bin/yppasswd"/>
    <Path type='symlink' name="/usr/bin/yppasswd" to="/mcs/bin/passwd"/>
    <Path type='symlink' name="/usr/lib/libgd.so.1.8" to="/usr/lib/libgd.so.1.8.4"/>
    <Path type='symlink' name="/usr/lib/libtermcap.so.2" to="/usr/lib/libtermcap.so"/>
    <Path type='symlink' name="/usr/local/bin/perl" to="/usr/bin/perl"/>
    <Path type='symlink' name="/usr/local/bin/perl5" to="/usr/bin/perl"/>
    <Path type='symlink' name="/usr/local/bin/tcsh" to="/bin/tcsh"/>
    <Service name='ntpd' status='on' type='chkconfig'/>
    <Service name='haldaemon' status='on' type='chkconfig'/>
    <Service name='messagebus' status='on' type='chkconfig'/>
    <Service name='netfs' status='on' type='chkconfig'/>
    <Service name='network' status='on' type='chkconfig'/>
    <Service name='rawdevices' status='on' type='chkconfig'/>
    <Service name='sshd' status='on' type='chkconfig'/>
    <Service name='syslog' status='on' type='chkconfig'/>
    <Service name='vmware-tools' status='on' type='chkconfig'/>
</Rules>

Using Regular Expressions in Rules

If you wish, you can configure the Rules plugin to support regular expressions. This entails a small performance and memory usage penalty. To do so, add the following setting to bcfg2.conf:

[rules]
regex = yes

With regular expressions enabled, you can use a regex in the name attribute to match multiple abstract configuration entries.

Regular expressions are anchored at both ends, so <Service name="bcfg2".../> will not match a Service named bcfg2-server; you’d have to explicitly specify <Service name="bcfg2.*".../>.

Note that only one Rule can apply to any abstract entry, so you cannot specify multiple regexes to match the same rule.

Replacing the name of the Entry in Attributes

If you are using regular expressions to match the abstract configuration entries, you may need the concrete name of the entry in some attributes. To use this feature, you have to enable it. It is only useful, if used together with regex matching.

[rules]
regex = yes
replace_name = yes

You now can write something like that in your xml file:

<POSIXUser name='.*' home='/somewhere/%{name}'/>

%{name} will be correctly replaced with the username for each POSIXUser.