collectd: Control SELinux domain permissiveness

It seems with each new release of Fedora, some feature or other of *collectd* gets broken. In Feodra 36, the *interfaces* plugin does not seem to work reliably, and the *md* plugin logs a *lot* of errors. While these issues are investigated upstream, we either need to manage our own policy for collectd or mark the `collectd_t` domain permissive. I chose the latter because I'm lazy and I don't consider collectd to be that big of a threat to security.
2022-07-24 10:32:29 -05:00 · 2022-07-24 10:32:29 -05:00 · c9dbaa32b9
parent 6f11a4cf3a
commit c9dbaa32b9
2 changed files with 11 additions and 0 deletions
--- a/collectd.yml
+++ b/collectd.yml
@ -23,6 +23,12 @@

 - hosts: collectd
  tasks:
+  - name: ensure selinux permissive mode is set for collectd
+    selinux_permissive:
+      domain: collectd_t
+      permissive: '{{ collectd_selinux_permissive|d(false) }}'
+    tags:
+    - selinux
  - name: ensure collectd is running
    service:
      name: collectd
--- a/host_vars/nvr1.pyrocufflink.blue.yml
+++ b/host_vars/nvr1.pyrocufflink.blue.yml
@ -1,3 +1,8 @@
 collectd_plugins:
  md: true
  thermal: true
+
+# collectd generates a bunch of AVC denials on Fedora 36.  We'll mark
+# its domain permissive until the problems are identified and resolved
+# upstream.
+collectd_selinux_permissive: true