From 4f476726377b43f33b292dd81b62b04e0fdaa7bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 2 Aug 2019 11:04:46 +0200
Subject: [PATCH] Create, build and load a custom SELinux module for NRPE &
 RabbitMQ
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/rabbitmq_cluster/files/nrpe_rabbitmq.te | 11 ++++++++++
 roles/rabbitmq_cluster/files/selinux-load.sh  |  9 +++++++++
 roles/rabbitmq_cluster/tasks/main.yml         | 20 ++++++++++++++++++-
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 roles/rabbitmq_cluster/files/nrpe_rabbitmq.te
 create mode 100644 roles/rabbitmq_cluster/files/selinux-load.sh

diff --git a/roles/rabbitmq_cluster/files/nrpe_rabbitmq.te b/roles/rabbitmq_cluster/files/nrpe_rabbitmq.te
new file mode 100644
index 0000000000..7da96acd2b
--- /dev/null
+++ b/roles/rabbitmq_cluster/files/nrpe_rabbitmq.te
@@ -0,0 +1,11 @@
+module nrpe_rabbitmq 1.0;
+
+require {
+	type amqp_port_t;
+	type nrpe_t;
+	class tcp_socket name_connect;
+}
+
+#============= nrpe_t ==============
+# let nagios plugin connect to rabbitmq management interface
+allow nrpe_t amqp_port_t:tcp_socket name_connect;
\ No newline at end of file
diff --git a/roles/rabbitmq_cluster/files/selinux-load.sh b/roles/rabbitmq_cluster/files/selinux-load.sh
new file mode 100644
index 0000000000..e126f235a4
--- /dev/null
+++ b/roles/rabbitmq_cluster/files/selinux-load.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+set -x
+
+checkmodule -M -m -o /etc/nagios/nrpe_rabbitmq.mod /etc/nagios/nrpe_rabbitmq.te
+semodule_package -o /etc/nagios/nrpe_rabbitmq.pp -m /etc/nagios/nrpe_rabbitmq.mod
+semodule -i /etc/nagios/nrpe_rabbitmq.pp
+rm /etc/nagios/nrpe_rabbitmq.mod /etc/nagios/nrpe_rabbitmq.pp
\ No newline at end of file
diff --git a/roles/rabbitmq_cluster/tasks/main.yml b/roles/rabbitmq_cluster/tasks/main.yml
index 54e0a84bea..09ca4b744c 100644
--- a/roles/rabbitmq_cluster/tasks/main.yml
+++ b/roles/rabbitmq_cluster/tasks/main.yml
@@ -275,7 +275,7 @@
   tags:
   - rabbitmq_cluster
   - config
-  
+
 - name: Configure a policy to ensure the public vhost stays swept up and tidy
   run_once: true
   delegate_to: "rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org"
@@ -395,6 +395,24 @@
       federation-upstream: "pubsub-to-public_pubsub"
     vhost: /public_pubsub
 
+# SELinux: allow the Nagios NRPE plugin to access the management interface
+- name: install the selinux module compilation script
+  copy:
+    src: selinux-load.sh
+    dest: /etc/nagios/selinux-load.sh
+    mode: 0755
+
+- name: copy over our custom selinux module
+  copy:
+    src: nrpe_rabbitmq.te
+    dest: /etc/nagios/nrpe_rabbitmq.te
+  register: selinux_module
+
+- name: compile and install our custom selinux module
+  command: /etc/nagios/selinux-load.sh
+  when: selinux_module is changed
+
+# Individual applications accounts & queues
 - import_tasks: apps.yml
   tags:
   - rabbitmq_cluster