From 7ff8a5e85b19ef758ea98b4be7757f23f6d50f8a Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 17 Nov 2014 02:31:59 +0000 Subject: [PATCH] Try to set the collectd redis monitoring straight with selinux. --- .../files/selinux/fi-collectd-fcomm.mod | Bin 0 -> 1522 bytes .../files/selinux/fi-collectd-fcomm.pp | Bin 0 -> 1538 bytes .../files/selinux/fi-collectd-fcomm.te | 17 ++++++++ roles/collectd/fcomm-queue/tasks/main.yml | 39 ++++++++++++++++++ 4 files changed, 56 insertions(+) create mode 100644 roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.mod create mode 100644 roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.pp create mode 100644 roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.te diff --git a/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.mod b/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.mod new file mode 100644 index 0000000000000000000000000000000000000000..c95ef0cd5b4e34429f86b8f587c6705ce520962a GIT binary patch literal 1522 zcmb`HO-{ow5QR(m6+!}TP_Zw91#7%v2P+N`wW(VIZh~4@>Vhk9U{)|+nx~r3MI}1Y zn|U6OXC`*+&+m_~^G>Jp{Lp(W%EhwxRE-wFcg=Nb*fX3MkW0h3=;u`kK98gRIIpJD zeRJMk-#9aEAqUWUIQak)%C~G>1b<*0-^>q2aD?$u1IEN1n>{r6rOy}9LkTacJO<{- zKk;!8<19^iVQx}2%d)b{;%rdPiJ|-I-Ir>MR@GiLe6`QaX3l&PCt^0`xXB0DP4X(I z(Oc>ZPaPEC6WDE^3fNwT#yJUE^cCZ4LGUakXA6<-RkQ z`X&Zwylo9#9@eI!8ds^)xJ$-xpql)Zh^zHV!GU7Cl^tD+obG?c{?3#(m~cH)|yKKl?_E}yKle{lz8l|_zib*r7lBs#w= zDzeV5mV&2N@m&kGLRG{ydZ`!#@nngmqI&5mI3ob9*+va=sFt}+e%HnrZ(4)BKwP7j zO1W<>q`u(*jW?~K%fs4KRO2!Yn(vY^K2S~mO2jpKq40q?{Jn^4^g?aocZ~`UDA%3& zh-;y^EOCjGV|H79lJZ|}*H&{5da&qU;2+>|(pVP0UJ%wR4xc?U72?e#sAk8fcaP literal 0 HcmV?d00001 diff --git a/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.te b/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.te new file mode 100644 index 0000000000..bb7c6ec5d0 --- /dev/null +++ b/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.te @@ -0,0 +1,17 @@ + +module fi-collectd-fcomm 1.0; + +require { + type bin_t; + type collectd_t; + type ldconfig_exec_t; + type shell_exec_t; + class file { read getattr open ioctl execute execute_no_trans }; + class lnk_file { read }; +} + +allow collectd_t bin_t:file ioctl; +allow collectd_t bin_t:lnk_file read; +allow collectd_t ldconfig_exec_t:file { read execute open execute_no_trans }; + +allow collectd_t shell_exec_t:file { getattr execute_no_trans }; diff --git a/roles/collectd/fcomm-queue/tasks/main.yml b/roles/collectd/fcomm-queue/tasks/main.yml index a7d7c5675a..b23df4e291 100644 --- a/roles/collectd/fcomm-queue/tasks/main.yml +++ b/roles/collectd/fcomm-queue/tasks/main.yml @@ -21,3 +21,42 @@ tags: - collectd notify: restart collectd + +# Three tasks for handling our custom selinux module. +- name: ensure a directory exists for our custom selinux module + file: dest=/usr/share/collectd state=directory + tags: + - collectd + - selinux + +- name: copy over our fcomm collectd selinux module + copy: src=selinux/fi-collect-fcomm.pp dest=/usr/share/collectd/fi-collect-fcomm.pp + register: selinux_module + tags: + - collectd + - selinux + +- name: check to see if its even installed yet + shell: semodule -l | grep fi-collect-fcomm + register: selinux_grep + always_run: true + changed_when: "1 != 1" + tags: + - collectd + - selinux + ignore_errors: True + +- name: install our fcomm collectd selinux module + command: semodule -i /usr/share/collectd/fi-collect-fcomm.pp + when: selinux_module|changed or selinux_grep|failed + tags: + - collectd + - selinux + +- name: lastly, set some selinux booleans + seboolean: name={{item}} persistent=yes state=yes + with_items: + - collectd_tcp_network_connect + tags: + - collectd + - selinux