From d61307e30c2a567d71678d122c6f8a9fab5a38fa Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Wed, 5 Nov 2014 16:04:43 +0000
Subject: [PATCH] Separate fi-collectd into two separate selinux modules.

---
 .../base/files/selinux/fi-collectd.mod        | Bin 2353 -> 2185 bytes
 .../base/files/selinux/fi-collectd.pp         | Bin 2369 -> 2201 bytes
 .../base/files/selinux/fi-collectd.te         |   4 +--
 .../base/files/selinux/fi-pstorefs.mod        | Bin 0 -> 906 bytes
 .../base/files/selinux/fi-pstorefs.pp         | Bin 0 -> 922 bytes
 .../base/files/selinux/fi-pstorefs.te         |  11 +++++++
 roles/collectd/base/tasks/main.yml            |  27 ++++++++++++++++--
 7 files changed, 36 insertions(+), 6 deletions(-)
 create mode 100644 roles/collectd/base/files/selinux/fi-pstorefs.mod
 create mode 100644 roles/collectd/base/files/selinux/fi-pstorefs.pp
 create mode 100644 roles/collectd/base/files/selinux/fi-pstorefs.te

diff --git a/roles/collectd/base/files/selinux/fi-collectd.mod b/roles/collectd/base/files/selinux/fi-collectd.mod
index 0f8a515ab05a03308e2d144b2524cb640150de9b..f7115c007385bfec60e78b0033f0b726a211208f 100644
GIT binary patch
delta 155
zcmdle)G0W@fze{4;|)euHU<U;w#jl#D;U`(FJzMDPtMQDNlh+Ei7(+~U|?VZiA^?R
zwq<0Synsb|@?#c>$@we-leaV5z}eC)Ft){HZdMVnxHr4RWPer-FuR}C2d-A0U1YL8
g3&&)6wh%`9$qMY|n^&_PU}R*QoWoH!nT1mq08Q;H&j0`b

delta 186
zcmeAa+$c1`fzf=U;|)eub_NCp_Q`TgD;U`)FJzMDNY2m6Nlh+EnS6jriKC#nB)=#%
zt$6Y)rufN*tTK!all55CC-*YjKv^H5EdR-Cm^dcyW#)m3>#|5p=425NWn^GraDZYE
y8w5aRNKanN0y9I96~yvmoz7T4c^;ejW?8lajEwA)@3GhMa4|42z}?`-VGRHVvoCG{

diff --git a/roles/collectd/base/files/selinux/fi-collectd.pp b/roles/collectd/base/files/selinux/fi-collectd.pp
index f07fcbf9d7ba3010ecd122ed88bde4355ba1577a..ad2e044dc2afffbb5742f08d433fe94265678f3d 100644
GIT binary patch
delta 155
zcmX>oG*fUw0Hejmz#ELLYzzzxY?JkvRxq+n-pC})pPZkQlbT$T5?{i}z`(!+5}WMC
zY|F?tc>{~|<j*V;lj~UoCLd?EfwQ$)U~G%Y(ySt2@o095$?>cjVD@}gAGlh5c9F^U
gEF6>d*+LlYCmXPvZ{E#zfRT}Hat%k_WD!nX0O9Q|&j0`b

delta 186
zcmbO!cu;6U0HgWFz#ELL><kPH?34AFRxq+p-pC})k({5ClbT$TGWi0N5=TLCNq$jk
zTJhvxO!1Q)S!Ea<Cfl*7PoB$c17$I?Kv@2h_b_oxKFiDl6}M%Pm@LU6Aj-(Vz~BJI
zAT|hq%#fbE7phZzvLY+Uj5yZmjP;Y(v6*kyWjnyg$UgZUdmRrK0|Nux4RIXS07#)Q
AF8}}l

diff --git a/roles/collectd/base/files/selinux/fi-collectd.te b/roles/collectd/base/files/selinux/fi-collectd.te
index 2b9dbe1af6..cce9f1e52d 100644
--- a/roles/collectd/base/files/selinux/fi-collectd.te
+++ b/roles/collectd/base/files/selinux/fi-collectd.te
@@ -1,5 +1,5 @@
 
-module fi-collectd 1.7;
+module fi-collectd 1.8;
 
 require {
     type shell_exec_t;
@@ -7,7 +7,6 @@ require {
 	type bin_t;
 	type configfs_t;
 	type init_t;
-	type pstorefs_t;
 	type collectd_t;
 	class sock_file { read write getattr };
 	class unix_stream_socket connectto;
@@ -20,7 +19,6 @@ require {
 allow collectd_t bin_t:file { execute execute_no_trans };
 allow collectd_t configfs_t:dir getattr;
 allow collectd_t init_t:unix_stream_socket connectto;
-allow collectd_t pstorefs_t:dir getattr;
 allow collectd_t self:capability { setuid dac_read_search sys_ptrace setgid dac_override };
 allow collectd_t var_run_t:sock_file { read write getattr };
 allow collectd_t shell_exec_t:file execute;
diff --git a/roles/collectd/base/files/selinux/fi-pstorefs.mod b/roles/collectd/base/files/selinux/fi-pstorefs.mod
new file mode 100644
index 0000000000000000000000000000000000000000..9b2399ea0e30623f1220709a0dc13d9be8fe88ee
GIT binary patch
literal 906
zcmb`FK@Pz{7=<4egoP{g0)!jb*s*eehIT5IMrArpEL_2Xt;nNKCyk1QFPTjJ^ZtL{
z#Jk=vw=satGFYX@@*J%5xXer!zz{$OzyL2s0FrcaDqL<&QuF}Kr?W+M>ccKBN{D`Q
zCvj@~Re5jR);TK$?~*Ft9Zcjx>)+7!P3T#^xoalz`=UI{OyuIw>4j}dJvDUCAz#o0
zc_*q7-p{3T`cvJfsgvIKPc&QS!q@#WtEtgH)|?~S>h#f^C2ws#|Em8B`sMrM^c_c*
YxEM>t(T|qmR!2%5+!?PrLjK7o9=O;t*Z=?k

literal 0
HcmV?d00001

diff --git a/roles/collectd/base/files/selinux/fi-pstorefs.pp b/roles/collectd/base/files/selinux/fi-pstorefs.pp
new file mode 100644
index 0000000000000000000000000000000000000000..9eb001a1b58f8ddf8c69768a5a771e51910bf801
GIT binary patch
literal 922
zcmb`FK@Pz{7=<4egat=%0m2Pz>{vNKLpzm9qtcGV!WG1MyQ)0;m^3OD{gTPlKX3m3
zO}u+?&07GtMgVTbH6H@lEXS+pc)pC+NpOx$8$iF5_3&Z<AdDub%qFP`vkrjybhao@
zT{M6aqTk#}5T)I+yf=1hZ7Kz4NtNsl#<yPTPN@4P^eo@p)swjQ{3MQzZv)Tjg>_0j
z)w9ngKTrpGC#n(7=h8X-sqRwMN$>h6>aBC(>i+3f)#x9q_7Qb;`l$Ajx4Jt`)tiET
g`Tih!$B`v2#!_)~qoufgBBdML8Lv--+>>uS0L_6l?EnA(

literal 0
HcmV?d00001

diff --git a/roles/collectd/base/files/selinux/fi-pstorefs.te b/roles/collectd/base/files/selinux/fi-pstorefs.te
new file mode 100644
index 0000000000..1cd02945f4
--- /dev/null
+++ b/roles/collectd/base/files/selinux/fi-pstorefs.te
@@ -0,0 +1,11 @@
+
+module fi-pstorefs 1.0;
+
+require {
+	type pstorefs_t;
+	type collectd_t;
+	class dir getattr;
+}
+
+#============= collectd_t ==============
+allow collectd_t pstorefs_t:dir getattr;
diff --git a/roles/collectd/base/tasks/main.yml b/roles/collectd/base/tasks/main.yml
index ea6f70a963..4b864ed116 100644
--- a/roles/collectd/base/tasks/main.yml
+++ b/roles/collectd/base/tasks/main.yml
@@ -57,13 +57,13 @@
   when: collectd_apache is defined
 
 
-# Three tasks for handling our custom selinux module
+# Three tasks for handling our (two) custom selinux modules.
 - name: ensure a directory exists for our custom selinux module
   file: dest=/usr/share/collectd state=directory
   tags:
   - collectd
 
-- name: copy over our custom selinux module
+- name: copy over our general collectd selinux module
   copy: src=selinux/fi-collectd.pp dest=/usr/share/collectd/fi-collectd.pp
   register: selinux_module
   tags:
@@ -76,12 +76,33 @@
   - collectd
   ignore_errors: True
 
-- name: install our custom selinux module
+- name: install our general collectd selinux module
   command: semodule -i /usr/share/collectd/fi-collectd.pp
   when: selinux_module|changed or selinux_grep|failed
   tags:
   - collectd
 
+- name: copy over our pstorefs/collectd selinux module (rhel6 has no pstorefs)
+  copy: src=selinux/fi-pstorefs.pp dest=/usr/share/collectd/fi-pstorefs.pp
+  when: ansible_distribution_major_version != '6'
+  register: selinux_module
+  tags:
+  - collectd
+
+- name: check to see if its even installed yet
+  shell: semodule -l | grep fi-pstorefs
+  when: ansible_distribution_major_version != '6'
+  register: selinux_grep
+  tags:
+  - collectd
+  ignore_errors: True
+
+- name: install our pstorefs/collectd selinux module
+  command: semodule -i /usr/share/collectd/fi-pstorefs.pp
+  when: ansible_distribution_major_version != '6' selinux_module|changed or selinux_grep|failed
+  tags:
+  - collectd
+
 
   
 # each of the below should move to a separate task list