From f46144bd783289503173f682972ce45e7cc7fd20 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 21:47:00 +0000
Subject: [PATCH] Add mirrorlist container selinux policy

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 .../files/selinux/mirrormanager_container.pp     | Bin 0 -> 7276 bytes
 .../files/selinux/mirrormanager_container.te     |  15 +++++++++++++++
 roles/nagios_client/tasks/main.yml               |   9 +++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 roles/nagios_client/files/selinux/mirrormanager_container.pp
 create mode 100644 roles/nagios_client/files/selinux/mirrormanager_container.te

diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.pp b/roles/nagios_client/files/selinux/mirrormanager_container.pp
new file mode 100644
index 0000000000000000000000000000000000000000..31b843535810b8ed8621363f7ff62c91b4f81c91
GIT binary patch
literal 7276
zcmc&&TaVkg6;|6tTeuHx(E|H=0Ka$u$D6eKl&9|QY|x<1B<O7VvM2;vI<ncJNR^~~
z0rD3X+uzoIlcy9PDcZ8eo_Ho{dH|0!;<?{=$RFRmdHa(r%YK?=+3&L~`_E@t_QSh3
zZ-1R-+4Z;dSE<_#y)b2~7%0EZvJB|I%p!cAWmzq)HMSO7EZF9S(OyW+_Gej^J()fJ
zQ-|3HaKP`g?qgB_5&)G{{PPY+G!5(W7oCa=_QHFc7(flY1I+xNT=?Af1)h3O&|il#
z`2DKmnPdR^csm1g4;?{r3RT;NbN`!8_fuGVhOj&Lzss@=&O3#F=x=2fxli_-g2W2X
z1aNlxANJvw{!h=o-GCup3g8eA^!?v4+LS^=+M$e;6hpkkKdtwnk2~ad%(fv8vL7(y
zli<{M@E-C)C;_KvKGye-1+W2eMKUHIrzc{T>MZ3?!bjcgQ`sjHJW(gH7W!XN7kh%3
z`~7v)!I50=qa1^OzkBm`JQ~xbv|M;&x6}yl*=k3VQre3V7GDV~YW8g1)6tlo%&0WA
zked9q;nA4>Fr%GjfhuykNb7%`QMqFuX-0PeME;EztrC`CXip{l`>}Kitj|zq6coDN
z)^np|K}zbIo<>UFglK$Pt>B``Yki?b%_Y5(4ZAO%J%9GHr&uK`^MBXOnc{}M>#2n=
zpIj}t>uY6-8!CAv3np#Kep=1dr`IW_)i+CFMd8_=(5zV6PwuU#*)vog$|LtyXeYfi
zdKbswQ4~;E%SBn{UEi3*-Y_kt1@Tn#Iy?&{oSU$_n0^mBB<?>@Gf~){)q~jtm0B$~
zsXN8o>#Gc5XToSqqcL5#O=GO5S`^kes*ELvbT$>m#!kU3b|iF34cl5eCykE&`EDs)
z>@sd?T2+$KYD-J8;sfddEhHp?kH{~1I~r3VbfmUiv1MHxvWN<NVQgQAS#-%)O7+?=
z^bC!!Q+yWzplPEY?K^cJZMMU^0!}QV;|P~`Eka5cmrj8_=S$(m!ixGf0(Dt(?JXZ$
z@0MTd#>$mcyx?-cgeJTxR9iAxv6ju0G<!7iDK!Ee>Y`KQOo-X>;&xUXra(x^SNp6W
zZ>Tn{_8|<dj_<*ZZtFbPJ#X~Mkaw+<deK=0wB(Z^USU~ypd!-e5_Nce_uf~=htS4N
z;zNwO<!QL=h%36VpW(;ok^z2TYZ|r!-O!O=3Qx5uWwj;eh37kLIG>@JJGLu+FGt6^
z43S1r$%Pi`j{Mmn>yj)NELR}a?AOL(o(cQ(z8HsT6}7((SxSGW=dZpA9U;M)bu$ie
zy5e=OP(nuqGgQ@n3{BJL0DyEb8}3HJV*u>K!R=sPI|Lvfo2eXR^k%669Fkpk1JB`{
za|ocgHH|nrm_h~slB1)7qk|D)0QU;Zb;E@e>Qrc6JEn<cQHIX4w$k$jc{Dd9Ud#rl
z*?D09;V-=1Z!_0yF@U9b2bq=RGHu$&XN?iIKvOru%ehq2Z=VK3A?~Zzn_75TJeb4f
zR*PB|M??o3AmpWAvZcnFf}QI*sI&5a4)==VpIJ3*yAdKe+AU?}^+dPzR7vM&vspZ_
zgzuO#2%kx}HF;U{K47xaC07&PG<NE3%lRC0^t2Mnb?=c;{Uw!#9ckm^h~t;C*H7}C
zb*ZH0JP#f%+q&LH9kDA)?bvz}q<Iaj8By!F4E=UACbqV*Qu`@66O=8KaTwq&Yrka7
zKbVl_IE_kOvi4k3VJuFfYJ1<keKf|H)flxFR!?enPAt0fUC@FAVFmrOTa1ZvCItJV
z0Jiohe+`R`P3&j1^X+I%wYXstdh3_apb}C&z`zCTymf3R_=915N{!`8Zl+|7;@q*H
zQmtHGawS^j6|Y#uFIMOUPwD%*aCsp-FN~G!(lCD}1SdcV+#K-6PrBz6G98EW#!C9_
z^r)CKg+wWZ&^d3oNGB7#w_eQSO~QSS1fy|Kd2WoF1fO-z$yY+PAw%w`S+HMtH@S*6
zRC1w&4apqbinqrok79E5=t(>+JwOE9c}v9J$Lz=jDK1E%we(9gQ>leUrzWXMY7A3h
z1l4WLRu*Jz$u=Up$E3`f9qKdkSjxqcoey;ZxL3g7mXL35ay5MsT@(MO%9^^<wx{eq
z3p;;JUOdoUUkisT9wa*<!rhrKjy=k(!`=tul4bWYtbbrwOJ9Tnp0i&wYjUQw1yh4d
zCLH-Ns3{{#Bx?5+qh_m^Ts)SB-hL;9Dtl%ui84%z=<|sO#?_j2jM1H3_H0_mF&jMF
zN)+s-$WGH>8Wu`z_kG;*zglUT!fp}UBQ4{`RJFPQ!IYfDLAL&q)<%2cO#_?bSsQ6r
zk-%*mlXN7o|3h7xj4z(PFQJ0n&vmf3YJF>=cG5YW#^=G7or|Miu<?z_bKNN6IaaxC
z6}wn{XZYy@#O`#wCHE|YUv_aw*|HR2%UwkG-wDC$OI-2R!QmCHIr#}eN8)tN4(@4n
z$jZ?6NH}sB9m5zm-v-=W78{E=g50dwT3K>O)m@3qIc)Ujs`%~3<GPH{f>~%sruDdu
z!H&6UEQi|{9Kyogi)Jpvp?l6`83&zkG0;Oro`rrl93_A}dw=H&e*3O-M{M8WXn3wY
Li8T7_AY%Uo^j^yC

literal 0
HcmV?d00001

diff --git a/roles/nagios_client/files/selinux/mirrormanager_container.te b/roles/nagios_client/files/selinux/mirrormanager_container.te
new file mode 100644
index 0000000000..6180969c69
--- /dev/null
+++ b/roles/nagios_client/files/selinux/mirrormanager_container.te
@@ -0,0 +1,15 @@
+module mirrormanager_container 1.0;
+
+require {
+    type container_t;
+    type container_file_t;
+    type mirrormanager_log_t;
+    type nrpe_t;
+    class file { append getattr };
+}
+
+# Allow mirrorlist to append to its log
+allow container_t mirrormanager_log_t:file append;
+# Allow nrpe to check file age of mirrorlist pkl files
+allow nrpe_t container_file_t:file getattr;
+
diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 329d50f0c2..0c55d78e11 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -99,6 +99,15 @@
   command: semodule -i /usr/share/nrpe/fi-nrpe.pp
   when: ansible_distribution_major_version|int == 7 and selinux_module|changed
 
+- name: copy over our custom selinux module for mirrorlist
+  copy: src=selinux/fi-nrpe.pp dest=/usr/share/nrpe/mirrormanager_container.pp
+  register: selinux_module_mirrorlist
+  when: 'proxy' in inventory_hostname
+
+- name: install our custom selinux module for mirrorlist
+  command: semodule -i /usr/share/nrpe/mirrormanager_container.pp
+  when: 'proxy' in inventory_hostname and selinux_module|changed
+
 
 # Set up our base config.
 - name: /etc/nagios/nrpe.cfg