collectd: Control SELinux domain permissiveness
It seems with each new release of Fedora, some feature or other of *collectd* gets broken. In Feodra 36, the *interfaces* plugin does not seem to work reliably, and the *md* plugin logs a *lot* of errors. While these issues are investigated upstream, we either need to manage our own policy for collectd or mark the `collectd_t` domain permissive. I chose the latter because I'm lazy and I don't consider collectd to be that big of a threat to security.btop
parent
6f11a4cf3a
commit
c9dbaa32b9
|
|
@ -23,6 +23,12 @@
|
||||||
|
|
||||||
- hosts: collectd
|
- hosts: collectd
|
||||||
tasks:
|
tasks:
|
||||||
|
- name: ensure selinux permissive mode is set for collectd
|
||||||
|
selinux_permissive:
|
||||||
|
domain: collectd_t
|
||||||
|
permissive: '{{ collectd_selinux_permissive|d(false) }}'
|
||||||
|
tags:
|
||||||
|
- selinux
|
||||||
- name: ensure collectd is running
|
- name: ensure collectd is running
|
||||||
service:
|
service:
|
||||||
name: collectd
|
name: collectd
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,8 @@
|
||||||
collectd_plugins:
|
collectd_plugins:
|
||||||
md: true
|
md: true
|
||||||
thermal: true
|
thermal: true
|
||||||
|
|
||||||
|
# collectd generates a bunch of AVC denials on Fedora 36. We'll mark
|
||||||
|
# its domain permissive until the problems are identified and resolved
|
||||||
|
# upstream.
|
||||||
|
collectd_selinux_permissive: true
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue