From: Zack Cerza <zack@redhat.com>
Date: Mon, 26 Jun 2017 21:04:56 +0000 (-0600)
Subject: ansible: Build and install SELinux module
X-Git-Tag: v1.0~57^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b9edb5e600a1f71cc6a0c2d693dc32e67fa17ca0;p=cephmetrics.git

ansible: Build and install SELinux module

Signed-off-by: Zack Cerza <zack@redhat.com>
---

diff --git a/ansible/roles/ceph-collectd/files/cephmetrics.te b/ansible/roles/ceph-collectd/files/cephmetrics.te
new file mode 120000
index 0000000..4d66f82
--- /dev/null
+++ b/ansible/roles/ceph-collectd/files/cephmetrics.te
@@ -0,0 +1 @@
+../../../../selinux/cephmetrics.te
\ No newline at end of file
diff --git a/ansible/roles/ceph-collectd/tasks/install_packages.yml b/ansible/roles/ceph-collectd/tasks/install_packages.yml
index 889284d..f3cacf2 100644
--- a/ansible/roles/ceph-collectd/tasks/install_packages.yml
+++ b/ansible/roles/ceph-collectd/tasks/install_packages.yml
@@ -37,6 +37,11 @@
     - python-rados
     # For the ceph_daemon python module
     - ceph-common
+    # For semodule
+    - make
+    - libsemanage-python
+    - policycoreutils-python
+    - selinux-policy-devel
   when:
     - ansible_pkg_mgr == "yum"
     - devel_mode
diff --git a/ansible/roles/ceph-collectd/tasks/main.yml b/ansible/roles/ceph-collectd/tasks/main.yml
index f7fd64e..6370516 100644
--- a/ansible/roles/ceph-collectd/tasks/main.yml
+++ b/ansible/roles/ceph-collectd/tasks/main.yml
@@ -24,7 +24,10 @@
     - collectors
 
 - include: selinux.yml
-  when: not containerized_deployment
+  when:
+   - not containerized_deployment
+   - ansible_selinux.status is defined
+   - ansible_selinux.status == 'enabled'
   tags:
     - selinux
 
diff --git a/ansible/roles/ceph-collectd/tasks/selinux.yml b/ansible/roles/ceph-collectd/tasks/selinux.yml
index 753232c..d093769 100644
--- a/ansible/roles/ceph-collectd/tasks/selinux.yml
+++ b/ansible/roles/ceph-collectd/tasks/selinux.yml
@@ -4,4 +4,7 @@
     name: collectd_tcp_network_connect
     state: yes
     persistent: yes
-  when: ansible_selinux.status is defined and ansible_selinux.status == 'enabled'
+
+- include: selinux_module.yml
+  when:
+    - devel_mode
diff --git a/ansible/roles/ceph-collectd/tasks/selinux_module.yml b/ansible/roles/ceph-collectd/tasks/selinux_module.yml
new file mode 100644
index 0000000..715250c
--- /dev/null
+++ b/ansible/roles/ceph-collectd/tasks/selinux_module.yml
@@ -0,0 +1,28 @@
+---
+- name: Remove SELinux policy package
+  command: semodule -r cephmetrics
+  failed_when: false
+
+- name: Remove any SELinux-related files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /tmp/cephmetrics.fc
+    - /tmp/cephmetrics.if
+    - /tmp/cephmetrics.pp
+    - /tmp/cephmetrics.te
+
+- name: Copy SELinux type enforcement file
+  copy:
+    src: cephmetrics.te
+    dest: /tmp/cephmetrics.te
+
+- name: Build SELinux policy package
+  command: make -f /usr/share/selinux/devel/Makefile cephmetrics.pp
+  args:
+    chdir: /tmp
+
+- name: Load SELinux policy package
+  command: semodule -i /tmp/cephmetrics.pp
+  notify: Restart collectd