Improve the common collectd selinux module

- Add a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1731501 - Update the playbook to support module upgrades, not only fresh installs Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2023-05-26 12:20:52 +02:00 · 2023-05-26 12:20:52 +02:00 · 7b2ab9e07f
commit 7b2ab9e07f
parent 09c7c868c6
5 changed files with 43 additions and 8 deletions
--- a/roles/collectd/base/files/selinux/Makefile
+++ b/roles/collectd/base/files/selinux/Makefile
@ -0,0 +1,22 @@
+detected_mods := $(wildcard *.te)
+detected_fcs := $(detected_mods:.te=.fc)
+all_packages := $(notdir $(detected_mods:.te=.pp))
+
+.PHONY: all
+.SUFFIXES: .pp
+
+all: $(all_packages)
+
+%.mod: %.te
+	checkmodule -m $^ -o $@
+
+# If we have file contexts one day:
+# %.pp: %.mod %.fc
+# 	semodule_package -o $@ -m $< -f $(<:.mod=.fc)
+
+%.pp: %.mod
+	semodule_package -o $@ -m $<
+
+# so users dont have to make empty .fc and .if files
+$(detected_fcs):
+	touch $@
--- a/roles/collectd/base/files/selinux/fi-collectd.mod
+++ b/roles/collectd/base/files/selinux/fi-collectd.mod
--- a/roles/collectd/base/files/selinux/fi-collectd.pp
+++ b/roles/collectd/base/files/selinux/fi-collectd.pp
--- a/roles/collectd/base/files/selinux/fi-collectd.te
+++ b/roles/collectd/base/files/selinux/fi-collectd.te
@ -1,4 +1,4 @@
-module fi-collectd 1.10.0;
+module fi-collectd 1.11.0;

 require {
    type shell_exec_t;
@ -14,7 +14,7 @@ require {
    type var_run_t;
    type anon_inodefs_t;
    type initrc_t;
- lgtype proc_net_t;
+    type proc_net_t;

    class capability { kill setuid dac_read_search sys_ptrace setgid dac_override };
    class dir { getattr read };
@ -22,6 +22,7 @@ require {
    class lnk_file read;
    class sock_file { read write getattr };
    class unix_stream_socket connectto;
+    class netlink_generic_socket create;
 }

 #============= collectd_t ==============
@ -39,4 +40,5 @@ allow collectd_t tmp_t:dir read;
 allow collectd_t var_run_t:sock_file { read write getattr };
 allow collectd_t anon_inodefs_t:file { write read };
 allow collectd_t initrc_t:unix_stream_socket connectto;
-atlow collectd_t proc_net_t:lnk_file read;
+allow collectd_t proc_net_t:lnk_file read;
+allow collectd_t self:netlink_generic_socket create;
--- a/roles/collectd/base/tasks/main.yml
+++ b/roles/collectd/base/tasks/main.yml
@ -132,18 +132,29 @@
  - collectd
  - selinux

- name: check to see if its even installed yet
-  shell: semodule -l | grep fi-collectd | wc -l
-  register: ficgeneral_grep
+# TODO: consider using selinux_modules from https://galaxy.ansible.com/linux-system-roles/selinux instead
+- name: check to see what version is installed (if any)
+  shell: semodule -l -m | grep fi-collectd | cut -d: -f2
+  register: ficgeneral_installed_version
  check_mode: no
-  changed_when: "'0' in ficgeneral_grep.stdout"
+  changed_when: false
+  tags:
+  - collectd
+  - selinux
+
+# This cmd comes from the last example of the semodule man page
+- name: check to see what version we have
+  shell: /usr/libexec/selinux/hll/pp /usr/share/collectd/fi-collectd.pp | sha256sum | cut -d ' ' -f1
+  register: ficgeneral_local_version
+  check_mode: no
+  changed_when: false
  tags:
  - collectd
  - selinux

 - name: install our general collectd selinux module
  command: semodule -i /usr/share/collectd/fi-collectd.pp
-  when: ficgeneral_module is changed or ficgeneral_grep is changed
+  when: ficgeneral_module is changed or ficgeneral_installed_version != ficgeneral_local_version
  tags:
  - collectd
  - selinux