Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for templated SE Linux agent module #452

Merged
merged 6 commits into from
Oct 23, 2017
Merged

Add support for templated SE Linux agent module #452

merged 6 commits into from
Oct 23, 2017

Conversation

tux-o-matic
Copy link
Contributor

@tux-o-matic tux-o-matic commented Sep 26, 2017
edited
Loading

Fix #441
The current static files used as source for the SE Linux module is too narrow.
With this PR, custom types, classes and rules can be defined for custom SE Linux rules.
For example:

zabbix::agent::selinux_require:
  - 'type zabbix_agent_t'
  - 'class process setrlimit'
zabbix::agent::selinux_rules:
  zabbix_agent_t:
    - 'allow zabbix_agent_t self:process setrlimit'
  zabbix_script_t:
    - 'allow zabbix_script_t zabbix_agent_t:process sigchld'

@tux-o-matic tux-o-matic changed the title Add support for templated SE Linux agent module (Fix #441) Add support for templated SE Linux agent module Sep 26, 2017
bastelfreak
bastelfreak reviewed Sep 26, 2017
View reviewed changes
manifests/agent.pp Outdated
@@ -415,7 +417,7 @@
if $facts['selinux'] == true and $manage_selinux {
selinux::module{'zabbix-agent':
ensure => 'present',
source_te => 'puppet:///modules/zabbix/zabbix-agent.te',
content_te => template('zabbix/selinux/zabbix-agent.te.erb'),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you switch this to an epp template instead of erb?

@bastelfreak
Copy link
Member

Hi @tux-o-matic, thanks for this PR!

  • Can you take a look at the failing spec tests?
  • Can you add the example for you comment to our README.md?

bastelfreak
bastelfreak reviewed Sep 27, 2017
View reviewed changes
README.md

### SE Linux
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a newline after the heading

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can recommend https://dlaa.me/markdownlint/ as a linter

Copy link
Contributor Author

@tux-o-matic tux-o-matic Sep 27, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The README is full of it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep. github changed their parser in the past, so now we try to enforce their rules for new changes.

bastelfreak
bastelfreak reviewed Sep 27, 2017
View reviewed changes
README.md Outdated
On systems with SE Linux active and enforcing, Zabbix agent will be limited unless given proper rights with an SE Linux module.
This Puppet module will apply some default SE Linux rules for it.
More can be provided if needed by using two class parameters, for example in Hiera YAML:
```yaml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a newline before the codeblock

@tux-o-matic
Copy link
Contributor Author

There was a failed job in Travis CI due to some internal container or network issue with Travis.

@bastelfreak
Copy link
Member

acceptance tests on centos7 fail. unable to fetch the zabbix-server package. I will take a look later

@juniorsysadmin
Copy link
Member

Consider adding a parameter for the selinux rules template path, defaulting to selinux/zabbix-agent.te.erb as well.

@tux-o-matic
Copy link
Contributor Author

@juniorsysadmin the agent rules are now a template and the default vales (in params.pp) are the same as the old static files.
And Travis is failing, not the tests.

juniorsysadmin
juniorsysadmin reviewed Sep 29, 2017
View reviewed changes
manifests/agent.pp
source_te => 'puppet:///modules/zabbix/zabbix-agent.te',
before => Service['zabbix-agent'],
ensure => 'present',
content_te => template('zabbix/selinux/zabbix-agent.te.erb'),
Copy link
Member

@juniorsysadmin juniorsysadmin Sep 29, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tux-o-matic What I meant is that zabbix/selinux/zabbix-agent.te.erb should also be the default value of a new parameter named say $selinux_content_te , so if a user doesn't want to use the selinux template included with this module, they can use their own as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The template is an empty shell, everything is doable via the new class parameters. This PR only adds flexibility.

@bastelfreak
Copy link
Member

@tux-o-matic can you please rebase against our latest master?

@bastelfreak bastelfreak added enhancement New feature or request needs-rebase labels Oct 21, 2017
@tux-o-matic
Copy link
Contributor Author

@bastelfreak rebased and green CI.

@bastelfreak
Copy link
Member

It looks like you didn't rebase, but merged master into this branch, but that is okay as well.

@bastelfreak bastelfreak merged commit e0eccd5 into voxpupuli:master Oct 23, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastelfreak bastelfreak bastelfreak left review comments

@juniorsysadmin juniorsysadmin juniorsysadmin approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tux-o-matic @bastelfreak @juniorsysadmin