Create, build and load a custom SELinux module for NRPE & RabbitMQ

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

roles/rabbitmq_cluster/files/nrpe_rabbitmq.te

@@ -0,0 +1,11 @@
+module nrpe_rabbitmq 1.0;
+
+require {
+	type amqp_port_t;
+	type nrpe_t;
+	class tcp_socket name_connect;
+}
+
+#============= nrpe_t ==============
+# let nagios plugin connect to rabbitmq management interface
+allow nrpe_t amqp_port_t:tcp_socket name_connect;

roles/rabbitmq_cluster/files/selinux-load.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+set -x
+
+checkmodule -M -m -o /etc/nagios/nrpe_rabbitmq.mod /etc/nagios/nrpe_rabbitmq.te
+semodule_package -o /etc/nagios/nrpe_rabbitmq.pp -m /etc/nagios/nrpe_rabbitmq.mod
+semodule -i /etc/nagios/nrpe_rabbitmq.pp
+rm /etc/nagios/nrpe_rabbitmq.mod /etc/nagios/nrpe_rabbitmq.pp

roles/rabbitmq_cluster/tasks/main.yml

@@ -275,7 +275,7 @@
   tags:
   - rabbitmq_cluster
   - config
-  
+
 - name: Configure a policy to ensure the public vhost stays swept up and tidy
   run_once: true
   delegate_to: "rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org"
@@ -395,6 +395,24 @@
       federation-upstream: "pubsub-to-public_pubsub"
     vhost: /public_pubsub
 
+# SELinux: allow the Nagios NRPE plugin to access the management interface
+- name: install the selinux module compilation script
+  copy:
+    src: selinux-load.sh
+    dest: /etc/nagios/selinux-load.sh
+    mode: 0755
+
+- name: copy over our custom selinux module
+  copy:
+    src: nrpe_rabbitmq.te
+    dest: /etc/nagios/nrpe_rabbitmq.te
+  register: selinux_module
+
+- name: compile and install our custom selinux module
+  command: /etc/nagios/selinux-load.sh
+  when: selinux_module is changed
+
+# Individual applications accounts & queues
 - import_tasks: apps.yml
   tags:
   - rabbitmq_cluster