[copr] backend: add custom selinux policy for nrpe checks
This commit is contained in:
Valentin Gologuzov
parent
6a4e823ce3
commit
f64c4b1c44
6 changed files with 36 additions and 7 deletions
4
roles/copr/backend/files/selinux/compile.sh
Normal file
4
roles/copr/backend/files/selinux/compile.sh
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
#!/bin/sh
|
||||
|
||||
checkmodule -M -m -o nrpe_copr.mod nrpe_copr.te
|
||||
semodule_package -o nrpe_copr.pp -m nrpe_copr.mod
|
||||
BIN
roles/copr/backend/files/selinux/nrpe_copr.mod
Normal file
BIN
roles/copr/backend/files/selinux/nrpe_copr.mod
Normal file
Binary file not shown.
BIN
roles/copr/backend/files/selinux/nrpe_copr.pp
Normal file
BIN
roles/copr/backend/files/selinux/nrpe_copr.pp
Normal file
Binary file not shown.
11
roles/copr/backend/files/selinux/nrpe_copr.te
Normal file
11
roles/copr/backend/files/selinux/nrpe_copr.te
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
|
||||
module copr_nrpe 1.0;
|
||||
|
||||
require {
|
||||
type redis_port_t;
|
||||
type nrpe_t;
|
||||
class tcp_socket name_connect;
|
||||
}
|
||||
|
||||
#============= nrpe_t ==============
|
||||
allow nrpe_t redis_port_t:tcp_socket name_connect;
|
||||
|
|
@ -121,7 +121,7 @@
|
|||
tags:
|
||||
- config
|
||||
|
||||
- name: copy signe.conf
|
||||
- name: copy sign.conf
|
||||
template: src=sign.conf dest=/etc/sign.conf owner=root group=copr mode=640
|
||||
tags:
|
||||
- config
|
||||
|
|
@ -142,9 +142,5 @@
|
|||
- cron: name="kill VMs in error state" minute="*/15" job="/root/instant-instance-killer.sh"
|
||||
when: not devel
|
||||
|
||||
- name: install nrpe checks
|
||||
template: src=copr_backend_nrpe.cfg dest=/etc/nrpe.d/copr_backend_nrpe.cfg
|
||||
notify:
|
||||
- restart nrpe
|
||||
tags:
|
||||
- nagios_client
|
||||
- name: setup monitoring
|
||||
include: "monitoring.yml"
|
||||
|
|
|
|||
18
roles/copr/backend/tasks/monitoring.yml
Normal file
18
roles/copr/backend/tasks/monitoring.yml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
- name: install nrpe checks
|
||||
template: src=copr_backend_nrpe.cfg dest=/etc/nrpe.d/copr_backend_nrpe.cfg
|
||||
notify:
|
||||
- restart nrpe
|
||||
tags:
|
||||
- nagios_client
|
||||
|
||||
# Three tasks for handling our custom selinux module
|
||||
- name: ensure a directory exists for our custom selinux module
|
||||
file: dest=/usr/local/share/copr state=directory
|
||||
|
||||
- name: copy over our custom selinux module
|
||||
copy: src=selinux/nrpe_copr.pp dest=/usr/local/share/copr/fedmsg.pp
|
||||
register: selinux_module
|
||||
|
||||
- name: install our custom selinux module
|
||||
command: semodule -i /usr/local/share/copr/fedmsg.pp
|
||||
when: selinux_module|changed
|
||||
Loading…
Add table
Add a link
Reference in a new issue