Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include SELinux tasks for zabbix_web and refactor selinux variable names #1220

Merged
merged 4 commits into from
May 9, 2024
Merged

Include SELinux tasks for zabbix_web and refactor selinux variable names #1220

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b567e1b
Include missing SELinux tasks from selinux.yml and refactor selinux v…
May 3, 2024
6d57b91
Merge branch 'ansible-collections:main' into main
miikkajo May 6, 2024
94c5f04
Add changelog fragment for PR 1220.
May 8, 2024
938dd61
Corrected changelog fragment format.
May 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions changelogs/fragments/1220-refactor_selinux_tasks_and_variable_names_role_zabbix_web.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
bugfixes:
- zabbix_web role, Add missing selinux.yml tasks.
minor_changes:
- zabbix_web role, Refactored zabbix_selinux variable names to correlate with selinux boolean names.
9 changes: 8 additions & 1 deletion docs/ZABBIX_WEB_ROLE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
- [Apache configuration](#apache-configuration)
- [Nginx configuration](#nginx-configuration)
- [PHP-FPM](#php-fpm)
- [SElinux](#selinux)
- [Zabbix Server](#zabbix-server)
* [proxy](#proxy)
- [Example Playbook](#example-playbook)
Expand Down Expand Up @@ -118,7 +119,6 @@ The following is an overview of all available configuration defaults for this ro
* `zabbix_web_vhost_port`: The port on which Zabbix HTTP vhost is running.
* `zabbix_web_vhost_tls_port`: The port on which Zabbix HTTPS vhost is running.
* `zabbix_web_vhost_listen_ip`: On which interface the Apache Virtual Host is available.
* `zabbix_apache_can_connect_ldap`: Default: `false`. Set SELinux boolean to allow httpd to connect to LDAP.
* `zabbix_web_max_execution_time`: PHP max execution time
* `zabbix_web_memory_limit`: PHP memory limit
* `zabbix_web_post_max_size`: PHP maximum post size
Expand Down Expand Up @@ -153,6 +153,13 @@ The following properties are specific to Zabbix 5.0 and for the PHP(-FPM) config

* `zabbix_php_fpm_conf_group`: The group of the owner of the socket file (When `zabbix_php_fpm_listen` contains a patch to a socket file).

### SElinux

* `zabbix_web_selinux`: Default: `False`. Enables an SELinux policy so that the web will run.
* `selinux_allow_httpd_can_connect_zabbix`: Default: `false`. Set SELinux boolean to allow httpd to connect to zabbix.
* `selinux_allow_httpd_can_connect_ldap`: Default: `false`. Set SELinux boolean to allow httpd to connect to LDAP.
* `selinux_allow_httpd_can_network_connect_db`: Default: `false` Set SELinux boolean to allow httpd to connect databases over the network.

### Zabbix Server

* `zabbix_server_name`: The name of the Zabbix Server.
Expand Down
8 changes: 5 additions & 3 deletions roles/zabbix_web/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,12 +86,14 @@ zabbix_server_history_types:
- "uint"
- "dbl"

zabbix_selinux: false
# SELinux specific
zabbix_web_selinux: false
selinux_allow_httpd_can_connect_ldap: false
selinux_allow_httpd_can_network_connect_db: false
selinux_allow_httpd_can_connect_zabbix: false

zabbix_repo_deb_gpg_key_url: http://repo.zabbix.com/zabbix-official-repo.key
zabbix_repo_deb_include_deb_src: true
# selinux_allow_zabbix_can_network: false
# zabbix_apache_can_connect_ldap: false

# SAML certificates
# zabbix_saml_idp_crt:
Expand Down
5 changes: 5 additions & 0 deletions roles/zabbix_web/tasks/RedHat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,8 @@
- ansible_distribution_major_version == '9'
tags:
- install

- name: "Configure SELinux when enabled"
ansible.builtin.include_tasks: selinux.yml
when:
- zabbix_web_selinux | bool
22 changes: 5 additions & 17 deletions roles/zabbix_web/tasks/selinux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
become: true
when:
- ansible_os_family == "RedHat"
- selinux_allow_zabbix_can_network
- ansible_selinux.status == "enabled"
- ansible_distribution_major_version == "7" or ansible_distribution_major_version == "6"
tags:
- install
Expand All @@ -30,23 +30,11 @@
become: true
when:
- ansible_os_family == "RedHat"
- selinux_allow_zabbix_can_network
- ansible_selinux.status == "enabled"
- ansible_distribution_major_version|int >= 8
tags:
- install

- name: "SELinux | RedHat | Enable zabbix_can_network SELinux boolean"
ansible.posix.seboolean:
name: zabbix_can_network
state: true
persistent: true
become: true
when:
- ansible_os_family == "RedHat"
- selinux_allow_zabbix_can_network
tags:
- config

- name: "SELinux | Allow httpd to connect to db (SELinux)"
ansible.posix.seboolean:
name: httpd_can_network_connect_db
Expand All @@ -55,7 +43,7 @@
become: true
when:
- ansible_selinux.status == "enabled"
- selinux_allow_zabbix_can_network
- selinux_allow_httpd_can_network_connect_db | bool
tags:
- config

Expand All @@ -67,7 +55,7 @@
become: true
when:
- ansible_selinux.status == "enabled"
- selinux_allow_zabbix_can_network
- selinux_allow_httpd_can_connect_zabbix | bool
tags:
- config

Expand All @@ -79,6 +67,6 @@
become: true
when:
- ansible_selinux.status == "enabled"
- zabbix_apache_can_connect_ldap | bool
- selinux_allow_httpd_can_connect_ldap | bool
tags:
- config
Loading