Add selinux module for collectd.
This commit is contained in:
Ralph Bean
parent
862c814690
commit
72f79922ae
4 changed files with 30 additions and 0 deletions
BIN
roles/collectd/base/files/selinux/fi-collectd.mod
Normal file
BIN
roles/collectd/base/files/selinux/fi-collectd.mod
Normal file
Binary file not shown.
BIN
roles/collectd/base/files/selinux/fi-collectd.pp
Normal file
BIN
roles/collectd/base/files/selinux/fi-collectd.pp
Normal file
Binary file not shown.
16
roles/collectd/base/files/selinux/fi-collectd.te
Normal file
16
roles/collectd/base/files/selinux/fi-collectd.te
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
|
||||
module fi-collectd 1.0;
|
||||
|
||||
require {
|
||||
type configfs_t;
|
||||
type pstorefs_t;
|
||||
type collectd_t;
|
||||
class capability { dac_read_search sys_ptrace setgid dac_override };
|
||||
class file read;
|
||||
class dir getattr;
|
||||
}
|
||||
|
||||
#============= collectd_t ==============
|
||||
allow collectd_t configfs_t:dir getattr;
|
||||
allow collectd_t pstorefs_t:dir getattr;
|
||||
allow collectd_t self:capability { dac_read_search sys_ptrace setgid dac_override };
|
||||
|
|
@ -42,6 +42,20 @@
|
|||
- restart collectd
|
||||
when: collectd_apache is defined
|
||||
|
||||
|
||||
# Three tasks for handling our custom selinux module
|
||||
- name: ensure a directory exists for our custom selinux module
|
||||
file: dest=/usr/share/collectd state=directory
|
||||
|
||||
- name: copy over our custom selinux module
|
||||
copy: src=selinux/fi-collectd.pp dest=/usr/share/collectd/fi-collectd.pp
|
||||
register: selinux_module
|
||||
|
||||
- name: install our custom selinux module
|
||||
command: semodule -i /usr/share/collectd/fi-collectd.pp
|
||||
when: selinux_module|changed
|
||||
|
||||
|
||||
|
||||
# each of the below should move to a separate task list
|
||||
# since they are odd-balls and one-offs
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue