copr-keygen: set selinux to enforcing, add custom policy

roles/copr/keygen/selinux/compile.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+checkmodule -M -m -o copr_rules.mod copr_rules.te
+semodule_package -o copr_rules.pp -m copr_rules.mod

roles/copr/keygen/selinux/copr_rules.te

@@ -0,0 +1,12 @@
+module copr_rules 1.0;
+
+require {
+    type httpd_t;
+    type httpd_var_lib_t;
+    class sock_file getattr;
+    class sock_file unlink;
+    class sock_file write;
+}
+
+#============= httpd_t ==============
+allow httpd_t httpd_var_lib_t:sock_file { getattr unlink write };

roles/copr/keygen/tasks/main.yml

@@ -23,13 +23,6 @@
 - name: change owner of data to copr-signer
   file: path=/var/lib/copr-keygen owner=copr-signer group=copr-signer recurse=yes
 
-- selinux: policy=targeted state=permissive
-
-#- name: install keygen specific packages
-#  dnf: name="{{ item }}" state=present
-#  with_items:
-#  - gnupg2
-
 - name: put keygen vhost for httpd
   copy: src="httpd/copr-keygen.conf" dest="/etc/httpd/conf.d/copr-keygen.conf"
   notify:
@@ -57,3 +50,17 @@
 - name: setup backup
   when: not devel
   import_tasks: "setup_backup.yml"
+
+# Three tasks for handling our custom selinux module
+- name: ensure a directory exists for our custom selinux module
+  file: dest=/usr/local/share/copr state=directory
+
+- name: copy over our custom selinux module
+  copy: src=selinux/copr_rules.pp dest=/usr/local/share/copr/copr_rules.pp
+  register: selinux_module
+
+- name: install our custom selinux module
+  command: semodule -i /usr/local/share/copr/copr_rules.pp
+  when: selinux_module|changed
+
+- selinux: policy=targeted state=enforcing