111 lines
3.4 KiB
YAML
111 lines
3.4 KiB
YAML
---
|
|
- name: "SELinux | Debian | Install policycoreutils-python"
|
|
ansible.builtin.apt:
|
|
pkg: policycoreutils-python-utils
|
|
state: present
|
|
update_cache: true
|
|
cache_valid_time: 0
|
|
force_apt_get: "{{ zabbix_apt_force_apt_get }}"
|
|
install_recommends: "{{ zabbix_apt_install_recommends }}"
|
|
environment:
|
|
http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}"
|
|
https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}"
|
|
register: zabbix_agent_policycoreutils_installed
|
|
until: zabbix_agent_package_installed is succeeded
|
|
become: true
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
tags:
|
|
- install
|
|
|
|
- name: "SELinux | RedHat | Install policycoreutils-python"
|
|
ansible.builtin.package:
|
|
name: policycoreutils-python
|
|
state: installed
|
|
environment:
|
|
http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}"
|
|
https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}"
|
|
register: zabbix_agent_policycoreutils_installed
|
|
until: zabbix_agent_policycoreutils_installed is succeeded
|
|
when:
|
|
- ansible_os_family == "RedHat"
|
|
- (zabbix_agent_distribution_major_version == "6" or zabbix_agent_distribution_major_version == "7")
|
|
become: true
|
|
tags:
|
|
- install
|
|
|
|
- name: "SELinux | RedHat | Install python3-policycoreutils on RHEL8"
|
|
ansible.builtin.package:
|
|
name: python3-policycoreutils
|
|
state: installed
|
|
environment:
|
|
http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}"
|
|
https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}"
|
|
register: zabbix_agent_policycoreutils_installed
|
|
until: zabbix_agent_policycoreutils_installed is succeeded
|
|
when:
|
|
- ansible_os_family == "RedHat"
|
|
- ansible_distribution_major_version == "8"
|
|
become: true
|
|
tags:
|
|
- install
|
|
|
|
- name: "SELinux | RedHat | Install selinux-policy-targeted"
|
|
ansible.builtin.package:
|
|
name: selinux-policy-targeted
|
|
state: installed
|
|
register: zabbix_agent_selinuxpolicytargeted_installed
|
|
until: zabbix_agent_selinuxpolicytargeted_installed is succeeded
|
|
when:
|
|
- ansible_os_family == "RedHat"
|
|
become: true
|
|
tags:
|
|
- install
|
|
|
|
# straight to getenforce binary , workaround for missing python_selinux library
|
|
- name: "SELinux | Get getenforce binary"
|
|
ansible.builtin.stat:
|
|
path: /usr/sbin/getenforce
|
|
register: getenforce_bin
|
|
become: true
|
|
tags:
|
|
- always
|
|
|
|
- name: "SELinux | Collect getenforce output"
|
|
ansible.builtin.command: /usr/sbin/getenforce
|
|
register: sestatus
|
|
when: "getenforce_bin.stat.exists"
|
|
changed_when: false
|
|
become: true
|
|
check_mode: false
|
|
tags:
|
|
- always
|
|
|
|
- name: "SELinux | Set zabbix_selinux to true if getenforce returns Enforcing or Permissive"
|
|
ansible.builtin.set_fact:
|
|
zabbix_selinux: "{{ true }}"
|
|
when:
|
|
- 'getenforce_bin.stat.exists and ("Enforcing" in sestatus.stdout or "Permissive" in sestatus.stdout)'
|
|
tags:
|
|
- always
|
|
|
|
- name: "SELinux | Allow zabbix_agent to start (SELinux)"
|
|
community.general.selinux_permissive:
|
|
name: zabbix_agent_t
|
|
permissive: true
|
|
become: true
|
|
tags:
|
|
- config
|
|
|
|
- name: "SELinux | Allow zabbix to run sudo commands (SELinux)"
|
|
ansible.posix.seboolean:
|
|
name: zabbix_run_sudo
|
|
persistent: true
|
|
state: true
|
|
become: true
|
|
when:
|
|
- ansible_selinux.status == "enabled"
|
|
- selinux_allow_zabbix_run_sudo|bool
|
|
tags:
|
|
- config
|