From 427484aeef62ad05b97c43b9cd0f80a78fc8cfe4 Mon Sep 17 00:00:00 2001
From: Aurélien Bompard <aurelien@bompard.org>
Date: Aug 02 2019 09:04:57 +0000
Subject: Create, build and load a custom SELinux module for NRPE & RabbitMQ


Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

---

diff --git a/roles/rabbitmq_cluster/files/nrpe_rabbitmq.te b/roles/rabbitmq_cluster/files/nrpe_rabbitmq.te
new file mode 100644
index 0000000..7da96ac
--- /dev/null
+++ b/roles/rabbitmq_cluster/files/nrpe_rabbitmq.te
@@ -0,0 +1,11 @@
+module nrpe_rabbitmq 1.0;
+
+require {
+	type amqp_port_t;
+	type nrpe_t;
+	class tcp_socket name_connect;
+}
+
+#============= nrpe_t ==============
+# let nagios plugin connect to rabbitmq management interface
+allow nrpe_t amqp_port_t:tcp_socket name_connect;
\ No newline at end of file
diff --git a/roles/rabbitmq_cluster/files/selinux-load.sh b/roles/rabbitmq_cluster/files/selinux-load.sh
new file mode 100644
index 0000000..e126f23
--- /dev/null
+++ b/roles/rabbitmq_cluster/files/selinux-load.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+set -x
+
+checkmodule -M -m -o /etc/nagios/nrpe_rabbitmq.mod /etc/nagios/nrpe_rabbitmq.te
+semodule_package -o /etc/nagios/nrpe_rabbitmq.pp -m /etc/nagios/nrpe_rabbitmq.mod
+semodule -i /etc/nagios/nrpe_rabbitmq.pp
+rm /etc/nagios/nrpe_rabbitmq.mod /etc/nagios/nrpe_rabbitmq.pp
\ No newline at end of file
diff --git a/roles/rabbitmq_cluster/tasks/main.yml b/roles/rabbitmq_cluster/tasks/main.yml
index 54e0a84..09ca4b7 100644
--- a/roles/rabbitmq_cluster/tasks/main.yml
+++ b/roles/rabbitmq_cluster/tasks/main.yml
@@ -275,7 +275,7 @@
   tags:
   - rabbitmq_cluster
   - config
-  
+
 - name: Configure a policy to ensure the public vhost stays swept up and tidy
   run_once: true
   delegate_to: "rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org"
@@ -395,6 +395,24 @@
       federation-upstream: "pubsub-to-public_pubsub"
     vhost: /public_pubsub
 
+# SELinux: allow the Nagios NRPE plugin to access the management interface
+- name: install the selinux module compilation script
+  copy:
+    src: selinux-load.sh
+    dest: /etc/nagios/selinux-load.sh
+    mode: 0755
+
+- name: copy over our custom selinux module
+  copy:
+    src: nrpe_rabbitmq.te
+    dest: /etc/nagios/nrpe_rabbitmq.te
+  register: selinux_module
+
+- name: compile and install our custom selinux module
+  command: /etc/nagios/selinux-load.sh
+  when: selinux_module is changed
+
+# Individual applications accounts & queues
 - import_tasks: apps.yml
   tags:
   - rabbitmq_cluster