[copr] backend: add custom selinux policy for nrpe checks
This commit is contained in:
Valentin Gologuzov
parent
6a4e823ce3
commit
f64c4b1c44
6 changed files with 36 additions and 7 deletions
4
roles/copr/backend/files/selinux/compile.sh
Normal file
4
roles/copr/backend/files/selinux/compile.sh
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
checkmodule -M -m -o nrpe_copr.mod nrpe_copr.te
|
||||||
|
semodule_package -o nrpe_copr.pp -m nrpe_copr.mod
|
||||||
BIN
roles/copr/backend/files/selinux/nrpe_copr.mod
Normal file
BIN
roles/copr/backend/files/selinux/nrpe_copr.mod
Normal file
Binary file not shown.
BIN
roles/copr/backend/files/selinux/nrpe_copr.pp
Normal file
BIN
roles/copr/backend/files/selinux/nrpe_copr.pp
Normal file
Binary file not shown.
11
roles/copr/backend/files/selinux/nrpe_copr.te
Normal file
11
roles/copr/backend/files/selinux/nrpe_copr.te
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
|
||||||
|
module copr_nrpe 1.0;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type redis_port_t;
|
||||||
|
type nrpe_t;
|
||||||
|
class tcp_socket name_connect;
|
||||||
|
}
|
||||||
|
|
||||||
|
#============= nrpe_t ==============
|
||||||
|
allow nrpe_t redis_port_t:tcp_socket name_connect;
|
||||||
|
|
@ -121,7 +121,7 @@
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: copy signe.conf
|
- name: copy sign.conf
|
||||||
template: src=sign.conf dest=/etc/sign.conf owner=root group=copr mode=640
|
template: src=sign.conf dest=/etc/sign.conf owner=root group=copr mode=640
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
@ -142,9 +142,5 @@
|
||||||
- cron: name="kill VMs in error state" minute="*/15" job="/root/instant-instance-killer.sh"
|
- cron: name="kill VMs in error state" minute="*/15" job="/root/instant-instance-killer.sh"
|
||||||
when: not devel
|
when: not devel
|
||||||
|
|
||||||
- name: install nrpe checks
|
- name: setup monitoring
|
||||||
template: src=copr_backend_nrpe.cfg dest=/etc/nrpe.d/copr_backend_nrpe.cfg
|
include: "monitoring.yml"
|
||||||
notify:
|
|
||||||
- restart nrpe
|
|
||||||
tags:
|
|
||||||
- nagios_client
|
|
||||||
|
|
|
||||||
18
roles/copr/backend/tasks/monitoring.yml
Normal file
18
roles/copr/backend/tasks/monitoring.yml
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
- name: install nrpe checks
|
||||||
|
template: src=copr_backend_nrpe.cfg dest=/etc/nrpe.d/copr_backend_nrpe.cfg
|
||||||
|
notify:
|
||||||
|
- restart nrpe
|
||||||
|
tags:
|
||||||
|
- nagios_client
|
||||||
|
|
||||||
|
# Three tasks for handling our custom selinux module
|
||||||
|
- name: ensure a directory exists for our custom selinux module
|
||||||
|
file: dest=/usr/local/share/copr state=directory
|
||||||
|
|
||||||
|
- name: copy over our custom selinux module
|
||||||
|
copy: src=selinux/nrpe_copr.pp dest=/usr/local/share/copr/fedmsg.pp
|
||||||
|
register: selinux_module
|
||||||
|
|
||||||
|
- name: install our custom selinux module
|
||||||
|
command: semodule -i /usr/local/share/copr/fedmsg.pp
|
||||||
|
when: selinux_module|changed
|
||||||
Loading…
Add table
Add a link
Reference in a new issue