voxpupuli · bastelfreak · Oct 23, 2017 · Sep 26, 2017 · Sep 27, 2017 · Sep 27, 2017
diff --git a/README.md b/README.md
@@ -597,8 +597,23 @@ Many thanks for this!
 ### Standard usage
 *	Not specified as required but for working correctly, the epel repository should be available for the 'fping'|'fping6' packages.
 *	Make sure you have sudo installed and configured with: !requiretty.
-*   Make sure that selinux is permissive or disabled.
 
+### SE Linux
+
+On systems with SE Linux active and enforcing, Zabbix agent will be limited unless given proper rights with an SE Linux module.
+This Puppet module will apply some default SE Linux rules for it.
+More can be provided if needed by using two class parameters, for example in Hiera YAML:
+
+```yaml
+zabbix::agent::selinux_require:
+  - 'type zabbix_agent_t'
+  - 'class process setrlimit'
+zabbix::agent::selinux_rules:
+  zabbix_agent_t:
+    - 'allow zabbix_agent_t self:process setrlimit'
+  zabbix_script_t:
+    - 'allow zabbix_script_t zabbix_agent_t:process sigchld'
+```
 
 ### When using exported resources
 

diff --git a/files/zabbix-agent.te b/files/zabbix-agent.te
diff --git a/manifests/agent.pp b/manifests/agent.pp
@@ -258,6 +258,8 @@
   String $agent_config_owner              = $zabbix::params::agent_config_owner,
   String $agent_config_group              = $zabbix::params::agent_config_group,
   Boolean $manage_selinux                 = $zabbix::params::manage_selinux,
+  Array[String] $selinux_require          = $zabbix::params::selinux_require,
+  Hash[String, Array] $selinux_rules      = $zabbix::params::selinux_rules,
   String $additional_service_params       = $zabbix::params::additional_service_params,
   String $service_type                    = $zabbix::params::service_type,
 ) inherits zabbix::params {
@@ -414,9 +416,9 @@
   # https://support.zabbix.com/browse/ZBX-11631
   if $facts['selinux'] == true and $manage_selinux {
     selinux::module{'zabbix-agent':
-      ensure    => 'present',
-      source_te => 'puppet:///modules/zabbix/zabbix-agent.te',
-      before    => Service['zabbix-agent'],
+      ensure     => 'present',
+      content_te => template('zabbix/selinux/zabbix-agent.te.erb'),
+      before     => Service['zabbix-agent'],
     }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -335,7 +335,11 @@
   $javagateway_pidfile                      = '/var/run/zabbix/zabbix_java.pid'
   $javagateway_startpollers                 = '5'
   $javagateway_timeout                      = '3'
+
+  # SE Linux specific params
   $manage_selinux                           = $facts['selinux']
+  $selinux_require                          = ['type zabbix_agent_t', 'class process setrlimit', 'class unix_dgram_socket create']
+  $selinux_rules                            = { 'zabbix_agent_t' => ['allow zabbix_agent_t self:process setrlimit', 'allow zabbix_agent_t self:unix_dgram_socket create']}
 
   # services should run foreground and as simple type
   # but this only works in 3.0 and newer

diff --git a/templates/selinux/zabbix-agent.te.erb b/templates/selinux/zabbix-agent.te.erb
@@ -0,0 +1,15 @@
+module zabbix-agent 1.0;
+
+require {
+  <% @selinux_require.each do |sel_require| -%>
+  <%= sel_require %>;
+  <% end -%>
+}
+
+<% @selinux_rules.keys.each do |key| -%>
+#============= <%= key  %> ==============
+<% @selinux_rules[key].each do |rule| -%>
+<%= rule  %>;
+<% end -%>
+
+<% end -%>