trying to work my way again through selinux

2017-07-20 17:12:18 +01:00
parent 508e672c31
commit 0f4d8b1a85
3 changed files with 17 additions and 11 deletions
--- a/manifests/selinux/config.pp
+++ b/manifests/selinux/config.pp
@@ -27,11 +27,22 @@ class cd_nagios::selinux::config (

  if $ng_use_selinux_tools == true {

-    # sealert tac-cgi
+  # it appears that selinux hehaves differently accross different nodes,
+  # so all we can do for now is to create a list of the AVC alerts and come up
+  # with a solution on that later.
+
+    exec { 'create_avc_list':
+      command     =>  'sealert -a /var/log/audit/audit.log > avc_alerts',
+      cwd         =>  $ng_user_home,
+      path        =>  ['/usr/bin'],
+      creates     ->  'avc_alerts',
+    }
+
+   # sealert tac-cgi
    exec { 'create_policy_taccgi':
      command     =>  template($ng_taccgi_erb),
      path        =>  ['/usr/bin','/usr/sbin'],
-      cwd         =>  '/tmp',
+      cwd         =>  $ng_user_home,
      creates     =>  '/tmp/my-taccgi.pp',
      notify      =>  Exec['semodule_taccgi'],
    }
@@ -39,7 +50,7 @@ class cd_nagios::selinux::config (
    exec { 'semodule_taccgi':
      command     =>  'semodule -i my-taccgi.pp',
      path        =>  ['/usr/bin','/usr/sbin'],
-      cwd         =>  '/tmp',
+      cwd         =>  $ng_user_home,
      require     =>  Exec['create_policy_taccgi'],
      refreshonly => true,
    }
@@ -49,7 +60,7 @@ class cd_nagios::selinux::config (
    exec { 'create_policy_statuscgi':
      command     =>  template($ng_statcgi_erb),
      path        =>  ['/usr/bin','/usr/sbin'],
-      cwd         =>  '/tmp',
+      cwd         =>  $ng_user_home,
      creates     =>  '/tmp/my-statuscgi.pp',
      notify      =>  Exec['semodule_taccgi'],
    }
@@ -57,9 +68,10 @@ class cd_nagios::selinux::config (
    exec { 'semodule_statuscgi':
      command     =>  'semodule -i my-statuscgi.pp',
      path        =>  ['/usr/bin','/usr/sbin'],
-      cwd         =>  '/tmp',
+      cwd         =>  $ng_user_home,
      require     =>  Exec['create_policy_statuscgi'],
      refreshonly => true,
    }
+
  }
 }
--- a/manifests/server/access_rules.pp
+++ b/manifests/server/access_rules.pp
@@ -45,11 +45,5 @@ class cd_nagios::server::access_rules (
      seluser   =>  system_u,
      notify    =>  Service[$ng_service],
    }
-
-    concat::fragment { 'create_header':
-      target    =>  $ng_htpasswd_file,
-      content   =>  template($ng_htpasswd_head),
-      notify    =>  Service[$ng_service],
-    }
  }
 }
--- a/templates/nagios/htpasswd_head.erb
+++ b/templates/nagios/htpasswd_head.erb