From: David Galloway <dgallowa@redhat.com>
Date: Wed, 16 Mar 2016 17:06:45 +0000 (-0400)
Subject: testnodes: configure selinux for nagios monitoring
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=dc1c2afb21b449f72aa0c8fb0bdf16a9bbf6873a;p=ceph-cm-ansible.git

testnodes: configure selinux for nagios monitoring

Signed-off-by: David Galloway <dgallowa@redhat.com>
---

diff --git a/roles/testnode/files/nagios/nrpe.te b/roles/testnode/files/nagios/nrpe.te
new file mode 100644
index 0000000..c7bc886
--- /dev/null
+++ b/roles/testnode/files/nagios/nrpe.te
@@ -0,0 +1,12 @@
+module nrpe 1.0;
+
+require {
+	type fsadm_exec_t;
+	type nrpe_t;
+	type hwdata_t;
+	class file { read getattr open };
+}
+
+#============= nrpe_t ==============
+allow nrpe_t fsadm_exec_t:file getattr;
+allow nrpe_t hwdata_t:file { read getattr open };
diff --git a/roles/testnode/tasks/main.yml b/roles/testnode/tasks/main.yml
index e06aba5..49f04c1 100644
--- a/roles/testnode/tasks/main.yml
+++ b/roles/testnode/tasks/main.yml
@@ -72,6 +72,12 @@
   tags:
     - nagios
 
+# configure selinux for nagios
+- include: nrpe-selinux.yml
+  when: ansible_pkg_mgr == "yum"
+  tags:
+    - nagios
+
 # configure ntp
 - include: ntp.yml
   tags:
diff --git a/roles/testnode/tasks/nrpe-selinux.yml b/roles/testnode/tasks/nrpe-selinux.yml
new file mode 100644
index 0000000..2fd781a
--- /dev/null
+++ b/roles/testnode/tasks/nrpe-selinux.yml
@@ -0,0 +1,39 @@
+---
+- name: nrpe - Install semanage python bindings
+  yum:
+    pkg: libsemanage-python
+    state: installed
+
+- name: nrpe - Install SELinux tools
+  yum:
+    pkg: policycoreutils-python
+    state: installed
+
+- name: nrpe - Set SELinux boolean nagios_run_sudo true
+  seboolean:
+    name: nagios_run_sudo
+    state: yes
+    persistent: yes
+
+- name: nrpe - Remove SELinux policy package
+  command: semodule -r nrpe
+  failed_when: false
+
+- name: nrpe - Copy SELinux type enforcement file
+  copy:
+    src: nagios/nrpe.te
+    dest: /tmp/nrpe.te
+
+- name: nrpe - Compile SELinux module file
+  command: checkmodule -M -m -o /tmp/nrpe.mod /tmp/nrpe.te
+
+- name: nrpe - Build SELinux policy package
+  command: semodule_package -o /tmp/nrpe.pp -m /tmp/nrpe.mod
+
+- name: nrpe - Load SELinux policy package
+  command: semodule -i /tmp/nrpe.pp
+
+- name: nrpe - Remove temporary files
+  file:
+    path: /tmp/nrpe.*
+    state: absent