Created
September 25, 2014 02:58
-
-
Save MelanieGault/90224e8d05de7a377c3f to your computer and use it in GitHub Desktop.
extract of icinga2 selinux management with puppet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package { 'icinga2-classicui-config': ensure => installed, } -> # attention l'ordre est tres important... | |
| package { 'icinga-gui': ensure => installed, } | |
| exec { 'selinux management for icinga gui cgi': | |
| command => '/usr/bin/chcon --reference=/var/www/cgi-bin -R /usr/lib64/icinga/cgi/', | |
| subscribe => Package['icinga2-classicui-config', 'icinga-gui'], | |
| refreshonly => true, | |
| } | |
| exec { 'selinux httpd_can_network_connect': | |
| command => '/usr/sbin/setsebool -P httpd_can_network_connect 1', | |
| subscribe => Package['icinga2-classicui-config', 'icinga-gui'], | |
| refreshonly => true, | |
| } | |
| exec { 'selinux /var/cache/icinga2/status.dat': | |
| command => '/usr/sbin/semanage fcontext -a -t httpd_sys_rw_content_t /var/cache/icinga2/status.dat', | |
| subscribe => Package['icinga2-classicui-config', 'icinga-gui'], | |
| require => Exec['selinux httpd_can_network_connect'], | |
| refreshonly => true, | |
| } | |
| exec { 'selinux /var/cache/icinga2/objects.cache': | |
| command => '/usr/sbin/semanage fcontext -a -t httpd_sys_rw_content_t /var/cache/icinga2/objects.cache', | |
| subscribe => Package['icinga2-classicui-config', 'icinga-gui'], | |
| refreshonly => true, | |
| } | |
| file { '/tmp/icinga2.te': | |
| ensure => present, | |
| content => "module my_httpd_icinga_command 1.0; | |
| require { | |
| type var_run_t; | |
| type var_log_t; | |
| type var_t; | |
| type httpd_t; | |
| type ping_t; | |
| type postgresql_port_t; | |
| type reserved_port_t; | |
| type httpd_sys_script_t; | |
| type load_policy_t; | |
| type user_tmp_t; | |
| class fifo_file {open getattr write}; | |
| class tcp_socket {name_connect}; | |
| class file {open read getattr write}; | |
| class dir {read}; | |
| } | |
| #============= httpd_t ============== | |
| allow httpd_t var_run_t:fifo_file {open getattr write}; | |
| allow ping_t var_t:file {open getattr write}; | |
| allow httpd_sys_script_t var_t:file {open read getattr write}; | |
| allow httpd_sys_script_t var_log_t:dir read; | |
| allow httpd_sys_script_t var_t:file read; | |
| allow httpd_t postgresql_port_t:tcp_socket name_connect; | |
| allow httpd_t reserved_port_t:tcp_socket name_connect; | |
| allow load_policy_t user_tmp_t:file write; | |
| ", | |
| subscribe => Package['icinga2-classicui-config', 'icinga-gui'], | |
| } | |
| exec { 'selinux compile policy icinga2': | |
| command => '/usr/bin/make -f /usr/share/selinux/devel/Makefile icinga2.pp', | |
| cwd => '/tmp', | |
| subscribe => File['/tmp/icinga2.te'], | |
| refreshonly => true, | |
| } | |
| exec { 'selinux apply policy icinga2': | |
| command => '/usr/sbin/semodule -i /tmp/icinga2.pp', | |
| subscribe => Exec['selinux compile policy icinga2'], | |
| refreshonly => true, | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
perfectible