Create, build and load a custom SELinux module for NRPE & RabbitMQ

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2019-08-02 11:04:46 +02:00 · 2019-08-02 11:04:46 +02:00 · 4f47672637
commit 4f47672637
parent 2501d2524d
3 changed files with 39 additions and 1 deletions
--- a/roles/rabbitmq_cluster/files/nrpe_rabbitmq.te
+++ b/roles/rabbitmq_cluster/files/nrpe_rabbitmq.te
@ -0,0 +1,11 @@
 module nrpe_rabbitmq 1.0;
 require {
 	type amqp_port_t;
 	type nrpe_t;
 	class tcp_socket name_connect;
 }
 #============= nrpe_t ==============
 # let nagios plugin connect to rabbitmq management interface
 allow nrpe_t amqp_port_t:tcp_socket name_connect;
--- a/roles/rabbitmq_cluster/files/selinux-load.sh
+++ b/roles/rabbitmq_cluster/files/selinux-load.sh
@ -0,0 +1,9 @@
 #!/bin/sh
 set -e
 set -x
 checkmodule -M -m -o /etc/nagios/nrpe_rabbitmq.mod /etc/nagios/nrpe_rabbitmq.te
 semodule_package -o /etc/nagios/nrpe_rabbitmq.pp -m /etc/nagios/nrpe_rabbitmq.mod
 semodule -i /etc/nagios/nrpe_rabbitmq.pp
 rm /etc/nagios/nrpe_rabbitmq.mod /etc/nagios/nrpe_rabbitmq.pp
--- a/roles/rabbitmq_cluster/tasks/main.yml
+++ b/roles/rabbitmq_cluster/tasks/main.yml
@ -395,6 +395,24 @@
      federation-upstream: "pubsub-to-public_pubsub"
    vhost: /public_pubsub
 # SELinux: allow the Nagios NRPE plugin to access the management interface
 - name: install the selinux module compilation script
  copy:
    src: selinux-load.sh
    dest: /etc/nagios/selinux-load.sh
    mode: 0755
 - name: copy over our custom selinux module
  copy:
    src: nrpe_rabbitmq.te
    dest: /etc/nagios/nrpe_rabbitmq.te
  register: selinux_module
 - name: compile and install our custom selinux module
  command: /etc/nagios/selinux-load.sh
  when: selinux_module is changed
 # Individual applications accounts & queues
 - import_tasks: apps.yml
  tags:
  - rabbitmq_cluster