From 8acd5234255fb8232ac9f8f08cee94fc5d62cd9e Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Thu, 17 Jul 2014 19:48:06 +0000
Subject: [PATCH] NRPE selinux policy.

---
 roles/nagios_client/files/selinux/fi-nrpe.mod | Bin 0 -> 930 bytes
 roles/nagios_client/files/selinux/fi-nrpe.pp  | Bin 0 -> 946 bytes
 roles/nagios_client/files/selinux/fi-nrpe.te  |  11 +++++++++++
 roles/nagios_client/tasks/main.yml            |  14 +++++++++++++-
 4 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 roles/nagios_client/files/selinux/fi-nrpe.mod
 create mode 100644 roles/nagios_client/files/selinux/fi-nrpe.pp
 create mode 100644 roles/nagios_client/files/selinux/fi-nrpe.te

diff --git a/roles/nagios_client/files/selinux/fi-nrpe.mod b/roles/nagios_client/files/selinux/fi-nrpe.mod
new file mode 100644
index 0000000000000000000000000000000000000000..f0552460cdce8fc9d650190be0049b226bc61f47
GIT binary patch
literal 930
zcmb_a%Sr=55Uj+2!5qBhoF7p154?DbCqH0FVrLoI>@K^r5W!#YgFPvgY(cZ^iiZ?5
zJ=2fs9;Uv2KEH1Pygskiv1pI0m-4O6Z3^H9zy!b?XIul=$Gf7g><Yl+{lin2@n8pS
z)&+H^C-yNnGVz{S+N4yggo9L8Zr^Q}LhVP4oe3^XTXr1cBz#}7$zs`r=A%h=2vy!@
zu?T6=b&qz{l?6N6E~FFV9}tBeLMTRX8JhC)e#xOaK2C8Daf?UreE*r*ui+OHeI8*f
r&OQ2E+HI`oQt?ZH`%=HuD$m|1Qi+p)qMXDxEHG8kQ*2I9J~f12m)AVW

literal 0
HcmV?d00001

diff --git a/roles/nagios_client/files/selinux/fi-nrpe.pp b/roles/nagios_client/files/selinux/fi-nrpe.pp
new file mode 100644
index 0000000000000000000000000000000000000000..1243b0e73e8fd65fdfc7d2b753a9589501b74324
GIT binary patch
literal 946
zcmb_a%SyyR5G)^{=s{0=-XBo(54?EOlOHgwYi}5dNk}HJ!v2Ezy?a_IcM6)2h=(m`
zdZr)MJxqP?Hrpcrv}*ugyUq3rz{}(ODOUY@{#?KHr5yvf$Ytl);|#zm-c)U4Cjjnm
z?;di-L*%D9s5?Eeilvc>_rlU5rB)>zq_X<;-Igh|e#F$7;KH<7<`5_0`>I6|>n?Pk
zU9ykRlzkDakS=rgWLMi*u(d5i`epnBqR>MK#Rx7#Q(oRLIabHVDefU|@d%#pKQo6l
y{9<CrBTU7)$B;|AP4yfqekgEX>X%yO*&9VFaq>@;llaC3rYd@h%?Zk<#_$97ct73%

literal 0
HcmV?d00001

diff --git a/roles/nagios_client/files/selinux/fi-nrpe.te b/roles/nagios_client/files/selinux/fi-nrpe.te
new file mode 100644
index 0000000000..91bcdcc972
--- /dev/null
+++ b/roles/nagios_client/files/selinux/fi-nrpe.te
@@ -0,0 +1,11 @@
+module fi-nrpe 1.0;
+
+require {
+    type nagios_system_plugin_t;
+    type nrpe_exec_t;
+    class file getattr;
+}
+
+#============= nagios_system_plugin_t ==============
+allow nagios_system_plugin_t nrpe_exec_t:file getattr;
+
diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 0f47da9ada..afef03ad33 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -43,8 +43,20 @@
 # skvidal 2013-05-21
 
 
-# FIXME? figure out nrpe selinux policy of DOOM is needed
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/share/nrpe state=directory
 
+- name: copy over our custom selinux module
+  copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/fi-nrpe.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semodule -i /usr/share/nrpe/fi-nrpe.pp
+  when: selinux_module|changed
+
+
+# Set up our base config.
 - name: /etc/nagios/nrpe.cfg
   template: src=nrpe.cfg.j2 dest=/etc/nagios/nrpe.cfg
   notify: