collectd: Set collectd_t domain permissive

The default SELinux policy for *collectd* does not allow it all the necessary access for the way we use it. Notably, it cannot bind to the HTTP port to export Prometheus metrics, and it is not allowed to use netlink to read interface statistics. The latter is not a huge deal, as it can fall back to the legacy procfs interface, but the former is a nonstarter. Eventually, I should write an SELinux module with the correct permissions (and submit the changes upstream), but for now, we'll just make the `collectd_t` domain permissive.
2023-10-04 21:01:38 -05:00 · 2023-10-04 21:01:38 -05:00 · 1cdd12454f
parent fb9684fa93
commit 1cdd12454f
1 changed files with 24 additions and 0 deletions
--- a/collectd.yaml
+++ b/collectd.yaml
@ -51,7 +51,31 @@ storage:
            Port 9103
        </Plugin>

+  - path: /etc/selinux/collectdlocal.cil
+    mode: 0644
+    contents:
+      inline: |
+        (typepermissive collectd_t)
+
+  - path: /etc/systemd/system/semodule-collectdlocal.service
+    mode: 0644
+    contents:
+      inline: |
+        [Unit]
+        ConditionPathExists=/etc/selinux/collectdlocal.cil
+        Before=collectd.service
+
+        [Service]
+        Type=oneshot
+        ExecStart=/usr/sbin/semodule -i /etc/selinux/collectdlocal.cil
+        ExecStartPost=/bin/rm -f /etc/selinux/collectdlocal.cil
+
+        [Install]
+        WantedBy=multi-user.target
+
 systemd:
  units:
  - name: collectd.service
    enabled: true
+  - name: semodule-collectdlocal.service
+    enabled: true