From 1cdd12454f9187896084e7ddd29317d1871efe02 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 4 Oct 2023 21:01:38 -0500
Subject: [PATCH] collectd: Set collectd_t domain permissive

The default SELinux policy for *collectd* does not allow it all the
necessary access for the way we use it.  Notably, it cannot bind to the
HTTP port to export Prometheus metrics, and it is not allowed to use
netlink to read interface statistics.  The latter is not a huge deal, as
it can fall back to the legacy procfs interface, but the former is a
nonstarter.

Eventually, I should write an SELinux module with the correct
permissions (and submit the changes upstream), but for now, we'll just
make the `collectd_t` domain permissive.
---
 collectd.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/collectd.yaml b/collectd.yaml
index 8ed3177..1c227b5 100644
--- a/collectd.yaml
+++ b/collectd.yaml
@@ -51,7 +51,31 @@ storage:
             Port 9103
         </Plugin>
 
+  - path: /etc/selinux/collectdlocal.cil
+    mode: 0644
+    contents:
+      inline: |
+        (typepermissive collectd_t)
+
+  - path: /etc/systemd/system/semodule-collectdlocal.service
+    mode: 0644
+    contents:
+      inline: |
+        [Unit]
+        ConditionPathExists=/etc/selinux/collectdlocal.cil
+        Before=collectd.service
+
+        [Service]
+        Type=oneshot
+        ExecStart=/usr/sbin/semodule -i /etc/selinux/collectdlocal.cil
+        ExecStartPost=/bin/rm -f /etc/selinux/collectdlocal.cil
+
+        [Install]
+        WantedBy=multi-user.target
+
 systemd:
   units:
   - name: collectd.service
     enabled: true
+  - name: semodule-collectdlocal.service
+    enabled: true