From c9dbaa32b921448bb49ed6b8daaac5a218982fd5 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 24 Jul 2022 10:32:29 -0500
Subject: [PATCH] collectd: Control SELinux domain permissiveness

It seems with each new release of Fedora, some feature or other of
*collectd* gets broken.  In Feodra 36, the *interfaces* plugin does not
seem to work reliably, and the *md* plugin logs a *lot* of errors.
While these issues are investigated upstream, we either need to manage
our own policy for collectd or mark the `collectd_t` domain permissive.
I chose the latter because I'm lazy and I don't consider collectd to be
that big of a threat to security.
---
 collectd.yml                         | 6 ++++++
 host_vars/nvr1.pyrocufflink.blue.yml | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/collectd.yml b/collectd.yml
index da3b79d..2cd8baa 100644
--- a/collectd.yml
+++ b/collectd.yml
@@ -23,6 +23,12 @@
 
 - hosts: collectd
   tasks:
+  - name: ensure selinux permissive mode is set for collectd
+    selinux_permissive:
+      domain: collectd_t
+      permissive: '{{ collectd_selinux_permissive|d(false) }}'
+    tags:
+    - selinux
   - name: ensure collectd is running
     service:
       name: collectd
diff --git a/host_vars/nvr1.pyrocufflink.blue.yml b/host_vars/nvr1.pyrocufflink.blue.yml
index 9ac879e..3ac3e4a 100644
--- a/host_vars/nvr1.pyrocufflink.blue.yml
+++ b/host_vars/nvr1.pyrocufflink.blue.yml
@@ -1,3 +1,8 @@
 collectd_plugins:
   md: true
   thermal: true
+
+# collectd generates a bunch of AVC denials on Fedora 36.  We'll mark
+# its domain permissive until the problems are identified and resolved
+# upstream.
+collectd_selinux_permissive: true