From 7ff8a5e85b19ef758ea98b4be7757f23f6d50f8a Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 17 Nov 2014 02:31:59 +0000 Subject: [PATCH] Try to set the collectd redis monitoring straight with selinux. --- .../files/selinux/fi-collectd-fcomm.mod | Bin 0 -> 1522 bytes .../files/selinux/fi-collectd-fcomm.pp | Bin 0 -> 1538 bytes .../files/selinux/fi-collectd-fcomm.te | 17 ++++++++ roles/collectd/fcomm-queue/tasks/main.yml | 39 ++++++++++++++++++ 4 files changed, 56 insertions(+) create mode 100644 roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.mod create mode 100644 roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.pp create mode 100644 roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.te diff --git a/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.mod b/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.mod new file mode 100644 index 0000000000000000000000000000000000000000..c95ef0cd5b4e34429f86b8f587c6705ce520962a GIT binary patch literal 1522 zcmb_cyG{c!5FFkJApw67(FZ|64GkSse1MhseBr>c(ZwgF;1~E{D$oS4SXp-|LPoOA z+MAty*xt|YkFPTT&kv)=CUncuQ>;4gb^)9K*a2{iUt9pFo3V}FJDaL;ZR32t2jJ%F z`aW|ssKF)v+*6N>@ZrtWjd%Om*1Ac>JweW4UIckZ01g1SrL$df+>+izn>_zff9BF8 zrB+LxXPN9~LNuwJgatXwKEAskX)#qvFHT>bO{UeQ4ebf)aj~1!6-`3>`O3ynH#5V8 zOghbOL-fUq^FDJ~vhXBLEj?|5Nj$c))tV&dXVNOQH7G+7(piG4T#^c-ie01R314SL zNIZQCrSCRk^mS*GI@k+hsE%9Jn@#JG$1@b;GUp)ByfP+lC9#gf+uO$xl)eJ?w2XI` zf0p*X^B>avk9}KUZ9E4VSaMJKpdPUa_+7QiP0T zd9|K>+TQQgVz~!^>k`1%YO%Zk@cJ}(Zv1RMcnQ_a*?jSINxyU}9VNDLKqOd|EGQF;&V$7`@vvnpT(AClmC?#ctBC_$0KQ ztIFW(W^9;{iRa0zk3M~~&Lu8O7M`T3U5^@XBCjoPwI<2^nYd1E1M*OWbe5o3E=h$^ zMX!+RwQ za$5m=n#X%chq=D%{`>s?N53nuHr|5_EP1Eg`35+gw2m_QGC}lvlL?Vc0d3BSpnttS S;{;g$a;@Z#|NGVYqzgZR8fcaP literal 0 HcmV?d00001 diff --git a/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.te b/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.te new file mode 100644 index 0000000000..bb7c6ec5d0 --- /dev/null +++ b/roles/collectd/fcomm-queue/files/selinux/fi-collectd-fcomm.te @@ -0,0 +1,17 @@ + +module fi-collectd-fcomm 1.0; + +require { + type bin_t; + type collectd_t; + type ldconfig_exec_t; + type shell_exec_t; + class file { read getattr open ioctl execute execute_no_trans }; + class lnk_file { read }; +} + +allow collectd_t bin_t:file ioctl; +allow collectd_t bin_t:lnk_file read; +allow collectd_t ldconfig_exec_t:file { read execute open execute_no_trans }; + +allow collectd_t shell_exec_t:file { getattr execute_no_trans }; diff --git a/roles/collectd/fcomm-queue/tasks/main.yml b/roles/collectd/fcomm-queue/tasks/main.yml index a7d7c5675a..b23df4e291 100644 --- a/roles/collectd/fcomm-queue/tasks/main.yml +++ b/roles/collectd/fcomm-queue/tasks/main.yml @@ -21,3 +21,42 @@ tags: - collectd notify: restart collectd + +# Three tasks for handling our custom selinux module. +- name: ensure a directory exists for our custom selinux module + file: dest=/usr/share/collectd state=directory + tags: + - collectd + - selinux + +- name: copy over our fcomm collectd selinux module + copy: src=selinux/fi-collect-fcomm.pp dest=/usr/share/collectd/fi-collect-fcomm.pp + register: selinux_module + tags: + - collectd + - selinux + +- name: check to see if its even installed yet + shell: semodule -l | grep fi-collect-fcomm + register: selinux_grep + always_run: true + changed_when: "1 != 1" + tags: + - collectd + - selinux + ignore_errors: True + +- name: install our fcomm collectd selinux module + command: semodule -i /usr/share/collectd/fi-collect-fcomm.pp + when: selinux_module|changed or selinux_grep|failed + tags: + - collectd + - selinux + +- name: lastly, set some selinux booleans + seboolean: name={{item}} persistent=yes state=yes + with_items: + - collectd_tcp_network_connect + tags: + - collectd + - selinux