Installing The Policy

Activating your shiny new SELinux policy package is the easy part.  Simply copy it to the selinux policy directory (/usr/share/selinux/packages on RHEL 7.x systems) and use the semodule command to activate it:

[root@varnish-01 ~]# semodule -i /usr/share/selinux/packages/fio-zabbix-agent.pp

It may take a little while for the command to run; SELinux is pretty slow about installing modules.  Once finished, however, your policy will be active, and the Zabbix agent should be able to talk to Varnish.

Thoughts

The biggest issue with SELinux seems to be one of documentation, and I’m probably just not looking in the right places.  I haven’t really looked that hard.  What I have seen, though, gives me the impression that learning SELinux will be as difficult as learning a new programming language (and perhaps more so since you have to learn the terminology as well).   Thankfully, the audit2allow tool neatly bypasses this problem.

Using the output, it’s fairly easy to see how to define a policy, but there’s still a lot of other stuff to learn.  I find security systems that are hard to understand to be of dubious utility:  it’s imperative that you fully understand your security system if you want actual sercurity.  SELinux flies in the face of that.

On the other hand, it’s one more barrier against the malcontents, so it’s worth knowing at least the basics.

All I really care about at the moment, however, is that Zabbix can talk to varnish.