From 091a117c4f63e9655a7f3dafefa3868b855ffa6a Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Tue, 28 Jan 2014 19:51:26 +0000
Subject: [PATCH] A custom selinux module for fedmsg.

---
 roles/fedmsg_base/files/selinux/fedmsg.mod | Bin 0 -> 903 bytes
 roles/fedmsg_base/files/selinux/fedmsg.pp  | Bin 0 -> 919 bytes
 roles/fedmsg_base/files/selinux/fedmsg.te  |  11 +++++++++++
 roles/fedmsg_base/tasks/main.yml           |  12 ++++++++++++
 4 files changed, 23 insertions(+)
 create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.mod
 create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.pp
 create mode 100644 roles/fedmsg_base/files/selinux/fedmsg.te

diff --git a/roles/fedmsg_base/files/selinux/fedmsg.mod b/roles/fedmsg_base/files/selinux/fedmsg.mod
new file mode 100644
index 0000000000000000000000000000000000000000..13953aa520e4f9bdb87bf6f34c71cda5aec5b365
GIT binary patch
literal 903
zcmb`F%?`mp6orp}vEUUvf$#=4cC0)=gHEZ?icZ7AD|lcla+s5hM#aLHOlErTxp!_e
z=X$@~dI08={xnYVbAOhG`OZ`UbO2NUwDF<|ATr@TTh{=L2E(yS_^^Ph?t=Q}PNH~c
z8cuUM#@0x{TO>-CTeGsk(Z8VVOgJr9*Y!|O;@2&bGzsD)4Na5<w&kkI)EjFLVPKzK
zzMygqPZT2@fJ=D}s<=;4C%yjzM7@<4zV4S^MGYU76#Iy>IOiz#(rjfl|BC+$&P&JA
cojm)C#*`uXcFM_c@1|0gI}PSc<cB};07gAAc>n+a

literal 0
HcmV?d00001

diff --git a/roles/fedmsg_base/files/selinux/fedmsg.pp b/roles/fedmsg_base/files/selinux/fedmsg.pp
new file mode 100644
index 0000000000000000000000000000000000000000..7620bdf0fd5e285f11443040ad35d048a52801cd
GIT binary patch
literal 919
zcmb_aOAY}+6fA$Sz!984xPgrwD+ichdKh6wXkp<B;=ER*=t|neh=ocz-Sb|(>Y8+2
z@8??q09PBp<$k`k08ECRQJfr3opBl-)}{!c;b?WdPz4Z~aI;^O0Q9@Pfou4XcG(s6
z&7FwiwW&Da<1V&F1l}T2I$N2!4R-zod1r!dxtdNxnuI?$P0}QYlQcBZKCm@6mB(IM
zyA1>TRQUpp%RHePK?7Xs)2Qk`vOMwqA0VWyzToqI(aLi8s6<vr$g9&wR!iRUX8u+G
h7wDIXWjcBG7lWxl^6k`9;NC-}E_VjZg~%^|!UIvKG>!lO

literal 0
HcmV?d00001

diff --git a/roles/fedmsg_base/files/selinux/fedmsg.te b/roles/fedmsg_base/files/selinux/fedmsg.te
new file mode 100644
index 0000000000..ba2a3c12ff
--- /dev/null
+++ b/roles/fedmsg_base/files/selinux/fedmsg.te
@@ -0,0 +1,11 @@
+
+module fedmsg 1.0;
+
+require {
+	type anon_inodefs_t;
+	type httpd_t;
+	class file write;
+}
+
+#============= httpd_t ==============
+allow httpd_t anon_inodefs_t:file write;
diff --git a/roles/fedmsg_base/tasks/main.yml b/roles/fedmsg_base/tasks/main.yml
index 9b47e9f28b..d97e30cd16 100644
--- a/roles/fedmsg_base/tasks/main.yml
+++ b/roles/fedmsg_base/tasks/main.yml
@@ -70,3 +70,15 @@
   when: fedmsg_certs != []
   tags:
   - config
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/fedmsg state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semanage -i /usr/local/share/fedmsg/fedmsg.pp
+  when: selinux_module|changed