From 0a457060a917848f3551d398a9c070fc9de97917 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Tue, 6 Jan 2015 19:53:19 +0000
Subject: [PATCH] A custom selinux module for our haproxy setup.

---
 roles/haproxy/files/selinux/fi-haproxy.mod | Bin 0 -> 836 bytes
 roles/haproxy/files/selinux/fi-haproxy.pp  | Bin 0 -> 852 bytes
 roles/haproxy/files/selinux/fi-haproxy.te  |  10 +++++++
 roles/haproxy/tasks/main.yml               |  31 +++++++++++++++++++++
 4 files changed, 41 insertions(+)
 create mode 100644 roles/haproxy/files/selinux/fi-haproxy.mod
 create mode 100644 roles/haproxy/files/selinux/fi-haproxy.pp
 create mode 100644 roles/haproxy/files/selinux/fi-haproxy.te

diff --git a/roles/haproxy/files/selinux/fi-haproxy.mod b/roles/haproxy/files/selinux/fi-haproxy.mod
new file mode 100644
index 0000000000000000000000000000000000000000..168453f58c47b04d31333ebd4451faa7fb5027ea
GIT binary patch
literal 836
zcmb`FK?=e^3`M^RqHerGFQDiR+_=+~2PkcAainxgX|V;b;DKE!UmFd@ii!`yWG2ZE
z1OIe6p2q+-OJ`-0qIA}FTf|`(zz9GGzyNo6kIZD}rI{_O9)S6Dwy2954ly`D<j#`>
zUh4TKHhI;rtC2k<VJ3ZCD81I-he7UUdQV$UL}RFO(b9AEFWme#^#&0X5u)EH%8<I8
zdKuAooj3I~x{o<S^yU1eM`+Fp)c$mz(5Ch6`@i5HXuzl0_@aY06MNC`x<>mvETRjq
FxB|AtE+GH_

literal 0
HcmV?d00001

diff --git a/roles/haproxy/files/selinux/fi-haproxy.pp b/roles/haproxy/files/selinux/fi-haproxy.pp
new file mode 100644
index 0000000000000000000000000000000000000000..66eef65fe78e441d41f23d49c33e382a1f16233e
GIT binary patch
literal 852
zcmb`FQ3`@k5JjhgsD5e*ZlI_g^wVE`wE$65GD1a^6x>3zUcZc6-WnvMq65R5_h#k}
z5ALNZ%8rO2CL(gKigGL>+m*5QgETWX;VwP8T@e}8Z3DT3yXQ~$RuqR>-V>3<Y`(0E
z8tP*J@QxEWR%F@!(NFSzUG>6K;KuC3LiUFC!F3Wd)_dA=K#ifwsio)YUzo{l>J1d6
z2+(g3MX=6OF9Z6n^QN9g_aR46pXV<<q&Z8V{pmi^ruFUnzrY`0z^B>pq60Rgz2J9U
MgMA(r(S=uB0rR0THUIzs

literal 0
HcmV?d00001

diff --git a/roles/haproxy/files/selinux/fi-haproxy.te b/roles/haproxy/files/selinux/fi-haproxy.te
new file mode 100644
index 0000000000..34f8352313
--- /dev/null
+++ b/roles/haproxy/files/selinux/fi-haproxy.te
@@ -0,0 +1,10 @@
+module fi-haproxy 1.0;
+
+require {
+    type haproxy_t;
+    class capability fowner;
+}
+
+#============= haproxy_t ==============
+allow haproxy_t self:capability fowner;
+
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index 8b0b159186..2982caa44c 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -61,3 +61,34 @@
   tags:
   - haproxy
   - selinux
+
+# These following four tasks are used for copying over our custom selinux
+# module.
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/share/haproxy state=directory
+  tags:
+  - haproxy
+  - selinux
+
+- name: copy over our general haproxy selinux module
+  copy: src=selinux/fi-haproxy.pp dest=/usr/share/haproxy/fi-haproxy.pp
+  register: fi_haproxy_module
+  tags:
+  - haproxy
+  - selinux
+
+- name: check to see if its even installed yet
+  shell: semodule -l | grep fi-haproxy | wc -l
+  register: fi_haproxy_grep
+  always_run: true
+  changed_when: "'0' in fi_haproxy_grep.stdout"
+  tags:
+  - haproxy
+  - selinux
+
+- name: install our general haproxy selinux module
+  command: semodule -i /usr/share/haproxy/fi-haproxy.pp
+  when: fi_haproxy_module|changed or fi_haproxy_grep|changed
+  tags:
+  - haproxy
+  - selinux