From b28a27f61d44827d7cf8edb0b018eb28e7d93fae Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Mon, 5 Jun 2017 23:19:56 +0200
Subject: [PATCH] Add selinux workaround for zabbix-server

the server, as the agent, have issues with running selinux. their
shipped policy isn't complete. As a workaround we provide our own
selinux module.
---
 files/zabbix-server.te | 9 +++++++++
 manifests/server.pp    | 6 ++++++
 2 files changed, 15 insertions(+)
 create mode 100644 files/zabbix-server.te

diff --git a/files/zabbix-server.te b/files/zabbix-server.te
new file mode 100644
index 000000000..b4a37b865
--- /dev/null
+++ b/files/zabbix-server.te
@@ -0,0 +1,9 @@
+module zabbix-server 1.0;
+
+require {
+	type zabbix_t;
+	class process setrlimit;
+}
+
+#============= zabbix_t ==============
+allow zabbix_t self:process setrlimit;
diff --git a/manifests/server.pp b/manifests/server.pp
index 72776f959..9296ae5ae 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -561,6 +561,12 @@
     selboolean{'zabbix_can_network':
       persistent => true,
       value      => 'on',
+      notify     => Service[$server_service_name],
+    }
+    -> selinux::module{'zabbix-server':
+      ensure    => 'present',
+      source_te => 'puppet:///modules/zabbix/zabbix-server.te',
+      before    => Service[$server_service_name],
     }
   }
 }