From 7b2ab9e07fcd262e16cf0a586f52cbdf3a4345f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 26 May 2023 12:20:52 +0200
Subject: [PATCH] Improve the common collectd selinux module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1731501
- Update the playbook to support module upgrades, not only fresh
  installs

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/collectd/base/files/selinux/Makefile    |  22 ++++++++++++++++++
 .../base/files/selinux/fi-collectd.mod        | Bin 3687 -> 4085 bytes
 .../base/files/selinux/fi-collectd.pp         | Bin 3891 -> 4101 bytes
 .../base/files/selinux/fi-collectd.te         |   8 ++++---
 roles/collectd/base/tasks/main.yml            |  21 +++++++++++++----
 5 files changed, 43 insertions(+), 8 deletions(-)
 create mode 100644 roles/collectd/base/files/selinux/Makefile

diff --git a/roles/collectd/base/files/selinux/Makefile b/roles/collectd/base/files/selinux/Makefile
new file mode 100644
index 0000000000..0f32a55703
--- /dev/null
+++ b/roles/collectd/base/files/selinux/Makefile
@@ -0,0 +1,22 @@
+detected_mods := $(wildcard *.te)
+detected_fcs := $(detected_mods:.te=.fc)
+all_packages := $(notdir $(detected_mods:.te=.pp))
+
+.PHONY: all
+.SUFFIXES: .pp
+
+all: $(all_packages)
+
+%.mod: %.te
+	checkmodule -m $^ -o $@
+
+# If we have file contexts one day:
+# %.pp: %.mod %.fc
+# 	semodule_package -o $@ -m $< -f $(<:.mod=.fc)
+
+%.pp: %.mod
+	semodule_package -o $@ -m $<
+
+# so users dont have to make empty .fc and .if files
+$(detected_fcs):
+	touch $@
diff --git a/roles/collectd/base/files/selinux/fi-collectd.mod b/roles/collectd/base/files/selinux/fi-collectd.mod
index 2c0a4696836e80ec4f8dd53e6d3fd07604958af3..c1d326de15166dbd53a991178f629d6824b3c78b 100644
GIT binary patch
delta 287
zcmaDZ^HqL=G^;2B0|UcE1w|G^Jp+fyAGw8D*%=rZ*f++0VYCqg$$@wb3=E7=3<7zn
zB{`XS+41SAd8tL2$??Vc$=RtTY)}=+MX8A;sgnblTqg0bOrFKf!^+3Nz`!?o7Sl#n
zE-)*AS(>AuC_gzqFSTT|C-YuLMuExaS)C`ZW0l#Q#wx%%`5&7D6NAF!4XkR6jFb6U
z^(W8c7MUE!$^mv8BgmDLXK@Qmwqxa)Y{$(rc@>u=qy6Ls+-8jIlYetfpL~y%XL1|&
l21fSD<~-A-K)%54;>m}2G#L3Nzve0A0XYorBtKqBMgS4eN}m7#

delta 146
zcmV;D0B!&EALks98wCmg0004zARz-VE-;h90u%)X00006v0d~5lZ^sI4GjPQ01W^D
z01yBG00@&o1{0Iu3<#4x1PPN81BJ7}1G@nM4wK;pUz5-W1he1;3<Z;@3k;Kh3lNjw
z1`Gi|ld%gU0{<VAuL2&D4Hy9ilQ9gJli&=b0S1$W4VRNb4jcgulV1*Tv+52D0cTey
Af&c&j

diff --git a/roles/collectd/base/files/selinux/fi-collectd.pp b/roles/collectd/base/files/selinux/fi-collectd.pp
index 8574dd2ce0aafede4be530dc1e1465a866d077c7..7af31496980c78afd818f87c39d47ec16f67ddd7 100644
GIT binary patch
delta 193
zcmdli*Qzi<n^ly7fq`M7fg+2co`J(;MOI-}b_NCp_Kmq;7;VHrav&Z90|O%zgFs$t
zNls>7c6@qjUTRTha(r=qa&~G78&pMdQEFmI>gGhI_e_ien*&)dvrZP^2w-HNEX!>?
z`2#o4<QQ%cuaQ-F@&WFa$qB4HlX*BrCKvD+OfKM2nY@6<gOPpmOP=XcAnUPPwYh|M
GKO+DO%rWBt

delta 88
zcmV-e0H^<jAhRBjD+Ln(0004zFd+jlE-;hP0u%)X00006v2FALvz-F(0s#+`@daO#
u;0FY=@C9%Mleh~k0Y8($3nP;V3^)M>lR*rZlkg0r0S1$m4VSZ04zmG2n;M`1

diff --git a/roles/collectd/base/files/selinux/fi-collectd.te b/roles/collectd/base/files/selinux/fi-collectd.te
index 3e9c1d5509..82c1f13a11 100644
--- a/roles/collectd/base/files/selinux/fi-collectd.te
+++ b/roles/collectd/base/files/selinux/fi-collectd.te
@@ -1,4 +1,4 @@
-module fi-collectd 1.10.0;
+module fi-collectd 1.11.0;
 
 require {
     type shell_exec_t;
@@ -14,7 +14,7 @@ require {
     type var_run_t;
     type anon_inodefs_t;
     type initrc_t;
- lgtype proc_net_t;
+    type proc_net_t;
 
     class capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
     class dir { getattr read };
@@ -22,6 +22,7 @@ require {
     class lnk_file read;
     class sock_file { read write getattr };
     class unix_stream_socket connectto;
+    class netlink_generic_socket create;
 }
 
 #============= collectd_t ==============
@@ -39,4 +40,5 @@ allow collectd_t tmp_t:dir read;
 allow collectd_t var_run_t:sock_file { read write getattr };
 allow collectd_t anon_inodefs_t:file { write read };
 allow collectd_t initrc_t:unix_stream_socket connectto;
-atlow collectd_t proc_net_t:lnk_file read;
+allow collectd_t proc_net_t:lnk_file read;
+allow collectd_t self:netlink_generic_socket create;
diff --git a/roles/collectd/base/tasks/main.yml b/roles/collectd/base/tasks/main.yml
index 5090682120..eec1308d57 100644
--- a/roles/collectd/base/tasks/main.yml
+++ b/roles/collectd/base/tasks/main.yml
@@ -132,18 +132,29 @@
   - collectd
   - selinux
 
-- name: check to see if its even installed yet
-  shell: semodule -l | grep fi-collectd | wc -l
-  register: ficgeneral_grep
+# TODO: consider using selinux_modules from https://galaxy.ansible.com/linux-system-roles/selinux instead
+- name: check to see what version is installed (if any)
+  shell: semodule -l -m | grep fi-collectd | cut -d: -f2
+  register: ficgeneral_installed_version
   check_mode: no
-  changed_when: "'0' in ficgeneral_grep.stdout"
+  changed_when: false
+  tags:
+  - collectd
+  - selinux
+
+# This cmd comes from the last example of the semodule man page
+- name: check to see what version we have
+  shell: /usr/libexec/selinux/hll/pp /usr/share/collectd/fi-collectd.pp | sha256sum | cut -d ' ' -f1
+  register: ficgeneral_local_version
+  check_mode: no
+  changed_when: false
   tags:
   - collectd
   - selinux
 
 - name: install our general collectd selinux module
   command: semodule -i /usr/share/collectd/fi-collectd.pp
-  when: ficgeneral_module is changed or ficgeneral_grep is changed
+  when: ficgeneral_module is changed or ficgeneral_installed_version != ficgeneral_local_version
   tags:
   - collectd
   - selinux