ansible-collections · tux-repos · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024 · Dec 9, 2024
diff --git a/roles/zabbix_server/defaults/main.yml b/roles/zabbix_server/defaults/main.yml
@@ -33,7 +33,7 @@ selinux_allow_zabbix_can_http: false
 
 #Misc.
 zabbix_server_include_mode: "0755"
-zabbix_server_config: /etc/zabbix/zabbix_server.conf
+zabbix_server_config: {{ zabbix_server_config_dir }}/zabbix_server.conf
 zabbix_service_state: started
 
 # Yum/APT  Variables
@@ -56,7 +56,8 @@ zabbix_server_historyindexcachesize: 4M
 zabbix_server_historystoragedateindex: false
 zabbix_server_historystoragetypes: uint,dbl,str,log,text
 zabbix_server_housekeepingfrequency: 1
-zabbix_server_include_dir: /etc/zabbix/zabbix_server.conf.d
+zabbix_server_include_dir: {{ zabbix_server_config_dir }}/zabbix_server.conf.d
+zabbix_server_config_dir: /etc/zabbix
 zabbix_server_include: "{{ zabbix_server_include_dir + '/*.conf' }}"
 zabbix_server_javagatewayport: 10052
 zabbix_server_listenip: 0.0.0.0

diff --git a/roles/zabbix_server/files/install_semodule.bsx b/roles/zabbix_server/files/install_semodule.bsx
diff --git a/roles/zabbix_server/files/zabbix_server_add.te b/roles/zabbix_server/files/zabbix_server_add.te
@@ -0,0 +1,28 @@
+module zabbix_server_add 1.1;
+
+require {
+    type zabbix_var_run_t;
+    type tmp_t;
+    type zabbix_t;
+    class sock_file { create unlink write };
+    class unix_stream_socket connectto;
+    class process setrlimit;
+    class capability dac_override;
+}
+
+#============== zabbix_t =============
+
+#!!!! This avc is allowed in the current policy
+allow zabbix_t self:process setrlimit;
+
+#!!!! This avc is allowed in the current policy
+allow zabbix_t self:unix_stream_socket connectto;
+
+#!!!! This avc is allowed in the current policy
+allow zabbix_t tmp_t:sock_file { create unlink write };
+
+#!!!! This avc is allowed in the current policy
+allow zabbix_t zabbix_var_run_t:sock_file { create unlink write };
+
+#!!!! This avc is allowed in the current policy
+allow zabbix_t self:capability dac_override;
diff --git a/roles/zabbix_server/tasks/selinux.yml b/roles/zabbix_server/tasks/selinux.yml
@@ -29,12 +29,29 @@
       state: "{{ selinux_allow_zabbix_can_http }}"
     - name: zabbix_can_network
       state: "{{ selinux_allow_zabbix_can_network }}"
+
+- name: Transfer zabbix selinux type enforcement file
+  copy:
+    src: files/zabbix_server_add.te
+    dest: "{{ zabbix_server_config_dir }}/zabbix_server_add.te"
+    mode: '0444'
+  register: zabbix_selinux_module_file
 
-- name: "SELinux | RedHat | Add SEmodule to fix SELinux issue: zabbix_server_alerter.sock"
-  ansible.builtin.script:
-    cmd: files/install_semodule.bsx
-  args:
-    creates: /etc/selinux/targeted/active/modules/400/zabbix_server_add/cil
+- name: Compile zabbix selinux module
+  command: "checkmodule -M -m -o {{ zabbix_server_config_dir }}/zabbix_server_add.mod {{ zabbix_server_config_dir }}/zabbix_server_add.te"
+  when: zabbix_selinux_module_file['changed']
+
+- name: Compile zabbix selinux policy package
+  command: "semodule_package -o {{ zabbix_server_config_dir }}/zabbix_server_add.pp -m {{ zabbix_server_config_dir }}/zabbix_server_add.mod"
+  when: zabbix_selinux_module_file['changed']
+
+- name: Gather loaded SELinux modules
   become: true
-  tags:
-    - config
+  command: semodule -l
+  register: zabbix_selinux_modules_loaded
+  changed_when: false
+
+- name: Install selinux policy package
+  become: true
+  command: "semodule -i {{ zabbix_server_config_dir }}/zabbix_server_add.pp"
+  when: ('zabbix_server_add' not in zabbix_selinux_modules_loaded['stdout_lines'] or zabbix_selinux_module_file['changed'])