ansible: Build and install SELinux module

Signed-off-by: Zack Cerza <zack@redhat.com>

diff --git a/ansible/roles/ceph-collectd/files/cephmetrics.te b/ansible/roles/ceph-collectd/files/cephmetrics.te
new file mode 120000 (symlink)
index 0000000..4d66f82
--- /dev/null
+++ b/ansible/roles/ceph-collectd/files/cephmetrics.te
@@ -0,0 +1 @@
+../../../../selinux/cephmetrics.te
\ No newline at end of file

diff --git a/ansible/roles/ceph-collectd/tasks/install_packages.yml b/ansible/roles/ceph-collectd/tasks/install_packages.yml
index 889284d3def3fc7224da4f297ecabc36455cf618..f3cacf25f22cdb13286a5147c8c40eb759c819c1 100644 (file)
--- a/ansible/roles/ceph-collectd/tasks/install_packages.yml
+++ b/ansible/roles/ceph-collectd/tasks/install_packages.yml
@@ -37,6 +37,11 @@
     - python-rados
     # For the ceph_daemon python module
     - ceph-common
+    # For semodule
+    - make
+    - libsemanage-python
+    - policycoreutils-python
+    - selinux-policy-devel
   when:
     - ansible_pkg_mgr == "yum"
     - devel_mode

diff --git a/ansible/roles/ceph-collectd/tasks/main.yml b/ansible/roles/ceph-collectd/tasks/main.yml
index f7fd64e221a0dcae0a7dc3d54829eca643d7f970..6370516c35b2d77e289d9e69bc3d4cc30787f247 100644 (file)
--- a/ansible/roles/ceph-collectd/tasks/main.yml
+++ b/ansible/roles/ceph-collectd/tasks/main.yml
@@ -24,7 +24,10 @@
     - collectors
 
 - include: selinux.yml
-  when: not containerized_deployment
+  when:
+   - not containerized_deployment
+   - ansible_selinux.status is defined
+   - ansible_selinux.status == 'enabled'
   tags:
     - selinux
 

diff --git a/ansible/roles/ceph-collectd/tasks/selinux.yml b/ansible/roles/ceph-collectd/tasks/selinux.yml
index 753232c0ce766998ae24c73893b28b9706606202..d0937691c029bbeb303660f8f483ab1e5e87e94f 100644 (file)
--- a/ansible/roles/ceph-collectd/tasks/selinux.yml
+++ b/ansible/roles/ceph-collectd/tasks/selinux.yml
@@ -4,4 +4,7 @@
     name: collectd_tcp_network_connect
     state: yes
     persistent: yes
-  when: ansible_selinux.status is defined and ansible_selinux.status == 'enabled'
+
+- include: selinux_module.yml
+  when:
+    - devel_mode

diff --git a/ansible/roles/ceph-collectd/tasks/selinux_module.yml b/ansible/roles/ceph-collectd/tasks/selinux_module.yml
new file mode 100644 (file)
index 0000000..715250c
--- /dev/null
+++ b/ansible/roles/ceph-collectd/tasks/selinux_module.yml
@@ -0,0 +1,28 @@
+---
+- name: Remove SELinux policy package
+  command: semodule -r cephmetrics
+  failed_when: false
+
+- name: Remove any SELinux-related files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /tmp/cephmetrics.fc
+    - /tmp/cephmetrics.if
+    - /tmp/cephmetrics.pp
+    - /tmp/cephmetrics.te
+
+- name: Copy SELinux type enforcement file
+  copy:
+    src: cephmetrics.te
+    dest: /tmp/cephmetrics.te
+
+- name: Build SELinux policy package
+  command: make -f /usr/share/selinux/devel/Makefile cephmetrics.pp
+  args:
+    chdir: /tmp
+
+- name: Load SELinux policy package
+  command: semodule -i /tmp/cephmetrics.pp
+  notify: Restart collectd