Merge pull request #768 from ceph/wip-useradd-selinux

Creating a selinux module to resolve selinux conflicts with grafana agent

Author: djgalloway

roles/grafana_agent/defaults/main.yml

@@ -9,3 +9,8 @@ grafana_rpm_repo_key_url: "https://rpm.grafana.com/gpg.key"
 
 scrape_interval_global: "60s"
 scrape_interval_node: "30s"
+
+# Selinux packages
+useradd_selinux_packages:
+  - policycoreutils
+  - checkpolicy

roles/grafana_agent/files/grafana/customuseradd.te

@@ -0,0 +1,12 @@
+module customuseradd 1.0;
+
+require {
+	type useradd_t;
+  type var_lib_t;
+	class file { execute read create write getattr setattr
+open };
+}
+
+#============= useradd_t ==============
+
+allow useradd_t var_lib_t:file { write create open setattr getattr };

roles/grafana_agent/tasks/main.yml

@@ -8,6 +8,10 @@
 - name: Gather facts on listening ports
   community.general.listen_ports_facts:
 
+# Resolving selinux conflicts
+- import_tasks: useradd-selinux.yml
+  when: ansible_os_family == "RedHat"
+
 - name: Check if prometheus is listening on port 9090
   ansible.builtin.debug:
     msg: The {{ item.name }} service - pid {{ item.pid }} is running on same port as grafana-agent please set {{ item.name }} to listen on a diffrent port than {{ item.port }}

roles/grafana_agent/tasks/useradd-selinux.yml

@@ -0,0 +1,38 @@
+---
+- name: useradd - Install SELinux dependencies
+  package:
+    name: "{{ useradd_selinux_packages|list }}"
+    state: present
+
+# ignore_errors in case we don't have any repos
+- name: useradd - Ensure SELinux policy is up to date
+  package:
+    name: selinux-policy-targeted
+    state: latest
+  ignore_errors: true
+
+- name: useradd - Copy SELinux type enforcement file
+  copy:
+    src: grafana/customuseradd.te
+    dest: /tmp/customuseradd.te
+
+- name: useradd - Compile SELinux module file
+  command: checkmodule -M -m -o /tmp/customuseradd.mod /tmp/customuseradd.te
+
+- name: useradd - Build SELinux policy package
+  command: semodule_package -o /tmp/customuseradd.pp -m /tmp/customuseradd.mod
+
+- name: useradd - Load SELinux policy package
+  command: semodule -i /tmp/customuseradd.pp
+
+- name: useradd - Remove temporary files
+  file:
+    path: /tmp/customuseradd.*
+    state: absent
+
+- name: Verify SELinux module is installed
+  command: semodule -l
+  register: semodule_list
+  changed_when: false
+  failed_when: "'customuseradd' not in semodule_list.stdout"
+

testnodes.yml

@@ -4,4 +4,5 @@
   roles:
     - common
     - testnode
+    - grafana_agent
   become: true