Separate fi-collectd into two separate selinux modules.

2014-11-05 16:04:43 +00:00 · 2014-11-05 16:04:43 +00:00 · d61307e30c
commit d61307e30c
parent beea6f8612
7 changed files with 36 additions and 6 deletions
--- a/roles/collectd/base/files/selinux/fi-collectd.mod
+++ b/roles/collectd/base/files/selinux/fi-collectd.mod
--- a/roles/collectd/base/files/selinux/fi-collectd.pp
+++ b/roles/collectd/base/files/selinux/fi-collectd.pp
--- a/roles/collectd/base/files/selinux/fi-collectd.te
+++ b/roles/collectd/base/files/selinux/fi-collectd.te
@ -1,5 +1,5 @@

-module fi-collectd 1.7;
+module fi-collectd 1.8;

 require {
    type shell_exec_t;
@ -7,7 +7,6 @@ require {
 	type bin_t;
 	type configfs_t;
 	type init_t;
-	type pstorefs_t;
 	type collectd_t;
 	class sock_file { read write getattr };
 	class unix_stream_socket connectto;
@ -20,7 +19,6 @@ require {
 allow collectd_t bin_t:file { execute execute_no_trans };
 allow collectd_t configfs_t:dir getattr;
 allow collectd_t init_t:unix_stream_socket connectto;
-allow collectd_t pstorefs_t:dir getattr;
 allow collectd_t self:capability { setuid dac_read_search sys_ptrace setgid dac_override };
 allow collectd_t var_run_t:sock_file { read write getattr };
 allow collectd_t shell_exec_t:file execute;
--- a/roles/collectd/base/files/selinux/fi-pstorefs.mod
+++ b/roles/collectd/base/files/selinux/fi-pstorefs.mod
--- a/roles/collectd/base/files/selinux/fi-pstorefs.pp
+++ b/roles/collectd/base/files/selinux/fi-pstorefs.pp
--- a/roles/collectd/base/files/selinux/fi-pstorefs.te
+++ b/roles/collectd/base/files/selinux/fi-pstorefs.te
@ -0,0 +1,11 @@
+
+module fi-pstorefs 1.0;
+
+require {
+	type pstorefs_t;
+	type collectd_t;
+	class dir getattr;
+}
+
+#============= collectd_t ==============
+allow collectd_t pstorefs_t:dir getattr;
--- a/roles/collectd/base/tasks/main.yml
+++ b/roles/collectd/base/tasks/main.yml
@ -57,13 +57,13 @@
  when: collectd_apache is defined


-# Three tasks for handling our custom selinux module
+# Three tasks for handling our (two) custom selinux modules.
 - name: ensure a directory exists for our custom selinux module
  file: dest=/usr/share/collectd state=directory
  tags:
  - collectd

- name: copy over our custom selinux module
+- name: copy over our general collectd selinux module
  copy: src=selinux/fi-collectd.pp dest=/usr/share/collectd/fi-collectd.pp
  register: selinux_module
  tags:
@ -76,12 +76,33 @@
  - collectd
  ignore_errors: True

- name: install our custom selinux module
+- name: install our general collectd selinux module
  command: semodule -i /usr/share/collectd/fi-collectd.pp
  when: selinux_module|changed or selinux_grep|failed
  tags:
  - collectd

+- name: copy over our pstorefs/collectd selinux module (rhel6 has no pstorefs)
+  copy: src=selinux/fi-pstorefs.pp dest=/usr/share/collectd/fi-pstorefs.pp
+  when: ansible_distribution_major_version != '6'
+  register: selinux_module
+  tags:
+  - collectd
+
+- name: check to see if its even installed yet
+  shell: semodule -l | grep fi-pstorefs
+  when: ansible_distribution_major_version != '6'
+  register: selinux_grep
+  tags:
+  - collectd
+  ignore_errors: True
+
+- name: install our pstorefs/collectd selinux module
+  command: semodule -i /usr/share/collectd/fi-pstorefs.pp
+  when: ansible_distribution_major_version != '6' selinux_module|changed or selinux_grep|failed
+  tags:
+  - collectd
+

  
 # each of the below should move to a separate task list