Add selinux workaround for zabbix-server

the server, as the agent, have issues with running selinux. their shipped policy isn't complete. As a workaround we provide our own selinux module.
voxpupuli · Jun 5, 2017 · 2511338 · 2511338
1 parent 7604dc9
commit 2511338
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 12 deletions.
diff --git a/files/zabbix-server.te b/files/zabbix-server.te
@@ -0,0 +1,9 @@
+module zabbix-server 1.0;
+
+require {
+	type zabbix_t;
+	class process setrlimit;
+}
+
+#============= zabbix_t ==============
+allow zabbix_t self:process setrlimit;
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -561,6 +561,12 @@
     selboolean{'zabbix_can_network':
       persistent => true,
       value      => 'on',
+      notify     => Service[$server_service_name],
+    }
+    -> selinux::module{'zabbix-server':
+      ensure    => 'present',
+      source_te => 'puppet:///modules/zabbix/zabbix-server.te',
+      before    => Service[$server_service_name],
     }
   }
 }
diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb
@@ -6,15 +6,10 @@
   end
 
   on_supported_os.each do |os, facts|
+    next if facts[:osfamily] == 'Archlinux' # zabbix server is currently not supported on archlinux
     context "on #{os} " do
-      systemd_fact = case facts[:osfamily]
-                     when 'Archlinux'
-                       { systemd: true }
-                     else
-                       { systemd: false }
-                     end
       let :facts do
-        facts.merge(systemd_fact)
+        facts
       end
 
       describe 'with default settings' do
@@ -23,12 +18,14 @@
         it { is_expected.to contain_zabbix__startup('zabbix-server') }
       end
 
-      describe 'with enabled selinux' do
-        let :facts do
-          super().merge(selinux: true)
-        end
+      if facts[:osfamily] == 'RedHat'
+        describe 'with enabled selinux' do
+          let :facts do
+            super().merge(selinux: true)
+          end
 
-        it { is_expected.to contain_selboolean('zabbix_can_network').with('value' => 'on', 'persistent' => true) }
+          it { is_expected.to contain_selboolean('zabbix_can_network').with('value' => 'on', 'persistent' => true) }
+        end
       end
 
       describe 'with disabled selinux' do