From f64c4b1c44feb02a0facf3daab9a44fb8b834cce Mon Sep 17 00:00:00 2001
From: Valentin Gologuzov <vgologuz@redhat.com>
Date: Tue, 3 Feb 2015 01:53:50 +0100
Subject: [PATCH] [copr] backend: add custom selinux policy for nrpe checks

---
 roles/copr/backend/files/selinux/compile.sh   |   4 ++++
 .../copr/backend/files/selinux/nrpe_copr.mod  | Bin 0 -> 939 bytes
 roles/copr/backend/files/selinux/nrpe_copr.pp | Bin 0 -> 955 bytes
 roles/copr/backend/files/selinux/nrpe_copr.te |  11 +++++++++++
 roles/copr/backend/tasks/main.yml             |  10 +++-------
 roles/copr/backend/tasks/monitoring.yml       |  18 ++++++++++++++++++
 6 files changed, 36 insertions(+), 7 deletions(-)
 create mode 100644 roles/copr/backend/files/selinux/compile.sh
 create mode 100644 roles/copr/backend/files/selinux/nrpe_copr.mod
 create mode 100644 roles/copr/backend/files/selinux/nrpe_copr.pp
 create mode 100644 roles/copr/backend/files/selinux/nrpe_copr.te
 create mode 100644 roles/copr/backend/tasks/monitoring.yml

diff --git a/roles/copr/backend/files/selinux/compile.sh b/roles/copr/backend/files/selinux/compile.sh
new file mode 100644
index 0000000000..f37b46c00f
--- /dev/null
+++ b/roles/copr/backend/files/selinux/compile.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+checkmodule -M -m -o nrpe_copr.mod nrpe_copr.te
+semodule_package -o nrpe_copr.pp -m nrpe_copr.mod
diff --git a/roles/copr/backend/files/selinux/nrpe_copr.mod b/roles/copr/backend/files/selinux/nrpe_copr.mod
new file mode 100644
index 0000000000000000000000000000000000000000..5ebf1b7fa39959c5a1ee952876607f5401cd2957
GIT binary patch
literal 939
zcmb`F!D>P=5Jj&Rq?UsC2Yx}(KXBu&UG)P(jak@g^2m$Og}>kjcV)Twt`3g|y6`~A
zdowpP6LL@I<Ie=Z`)c;Ojfd~qTiP6UVF+LfU;y9|7sdd5YO;&D2@e1kFY{%Wv+xYp
zQy0`fcT#-g+T_1NdG3_)V;`JPF$Q0xW>=j^>(Ahe%eGtXTi85r!!_!5^&nQqi@EDm
zHB}CqZR?tpi!16@Lp5|0q8MR!F6B9;;+DQndOJN)ZRIUi`=5G!4WFF!>xf#Mv-E3e
nzS^04#qR~@rJrx!WyCJ}RX*h_DktAvyrn32y5D-q=KkUrzhgMD

literal 0
HcmV?d00001

diff --git a/roles/copr/backend/files/selinux/nrpe_copr.pp b/roles/copr/backend/files/selinux/nrpe_copr.pp
new file mode 100644
index 0000000000000000000000000000000000000000..ee51973408274b85416cda3c2fc54fe1422d7c69
GIT binary patch
literal 955
zcmb`FK}v%$5QSeAib_GfK~Es{25#Kdl?Mnm&7!qUe$o_N^a|p6yQ(~zSBD=1UG#&H
z|DSo8nUME$*zE@ZxE=s}A9nkD0PnBk=^}2w#&2o9U4<(Ek5zVqBewv2>avTu3)cXi
zpC&IgXHogP8q_~`Qhet&$$y42svY9TIyj$V48BOst~!xs%ixR4wp;64*gS8;HLSaO
z5Ub<G+-a(oDu?-E<GPfKE9%xlHFOiA7-4rV<vFF|mcCAUJ3Uct<t<iwPQAW{Pfq%E
uL@Ul&`n5D)>&&I%mxA-s&wt)!#4h?(KIJPaC*K{tr6_m0-+IaB{^J)p&^yKe

literal 0
HcmV?d00001

diff --git a/roles/copr/backend/files/selinux/nrpe_copr.te b/roles/copr/backend/files/selinux/nrpe_copr.te
new file mode 100644
index 0000000000..9eccd7a589
--- /dev/null
+++ b/roles/copr/backend/files/selinux/nrpe_copr.te
@@ -0,0 +1,11 @@
+
+module copr_nrpe 1.0;
+
+require {
+	type redis_port_t;
+	type nrpe_t;
+	class tcp_socket name_connect;
+}
+
+#============= nrpe_t ==============
+allow nrpe_t redis_port_t:tcp_socket name_connect;
diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml
index 0715057e5b..64b7acf446 100644
--- a/roles/copr/backend/tasks/main.yml
+++ b/roles/copr/backend/tasks/main.yml
@@ -121,7 +121,7 @@
   tags:
   - config
 
-- name: copy signe.conf
+- name: copy sign.conf
   template: src=sign.conf dest=/etc/sign.conf  owner=root group=copr mode=640
   tags:
   - config
@@ -142,9 +142,5 @@
 - cron: name="kill VMs in error state" minute="*/15"  job="/root/instant-instance-killer.sh"
   when: not devel
 
-- name: install nrpe checks
-  template: src=copr_backend_nrpe.cfg dest=/etc/nrpe.d/copr_backend_nrpe.cfg
-  notify:
-  - restart nrpe
-  tags:
-  - nagios_client
+- name: setup monitoring
+  include: "monitoring.yml"
diff --git a/roles/copr/backend/tasks/monitoring.yml b/roles/copr/backend/tasks/monitoring.yml
new file mode 100644
index 0000000000..dd37fc282d
--- /dev/null
+++ b/roles/copr/backend/tasks/monitoring.yml
@@ -0,0 +1,18 @@
+- name: install nrpe checks
+  template: src=copr_backend_nrpe.cfg dest=/etc/nrpe.d/copr_backend_nrpe.cfg
+  notify:
+  - restart nrpe
+  tags:
+  - nagios_client
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/copr state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/nrpe_copr.pp dest=/usr/local/share/copr/fedmsg.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/copr/fedmsg.pp
+  when: selinux_module|changed