A custom selinux module for our haproxy setup.

2015-01-06 19:53:19 +00:00 · 2015-01-06 19:53:19 +00:00 · 0a457060a9
commit 0a457060a9
parent 29a347fbb4
4 changed files with 41 additions and 0 deletions
--- a/roles/haproxy/files/selinux/fi-haproxy.mod
+++ b/roles/haproxy/files/selinux/fi-haproxy.mod
--- a/roles/haproxy/files/selinux/fi-haproxy.pp
+++ b/roles/haproxy/files/selinux/fi-haproxy.pp
--- a/roles/haproxy/files/selinux/fi-haproxy.te
+++ b/roles/haproxy/files/selinux/fi-haproxy.te
@ -0,0 +1,10 @@
+module fi-haproxy 1.0;
+
+require {
+    type haproxy_t;
+    class capability fowner;
+}
+
+#============= haproxy_t ==============
+allow haproxy_t self:capability fowner;
+
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@ -61,3 +61,34 @@
  tags:
  - haproxy
  - selinux
+
+# These following four tasks are used for copying over our custom selinux
+# module.
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/share/haproxy state=directory
+  tags:
+  - haproxy
+  - selinux
+
+- name: copy over our general haproxy selinux module
+  copy: src=selinux/fi-haproxy.pp dest=/usr/share/haproxy/fi-haproxy.pp
+  register: fi_haproxy_module
+  tags:
+  - haproxy
+  - selinux
+
+- name: check to see if its even installed yet
+  shell: semodule -l | grep fi-haproxy | wc -l
+  register: fi_haproxy_grep
+  always_run: true
+  changed_when: "'0' in fi_haproxy_grep.stdout"
+  tags:
+  - haproxy
+  - selinux
+
+- name: install our general haproxy selinux module
+  command: semodule -i /usr/share/haproxy/fi-haproxy.pp
+  when: fi_haproxy_module|changed or fi_haproxy_grep|changed
+  tags:
+  - haproxy
+  - selinux