Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

distgit: install another custom selinux policy

Browse source 
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
This commit is contained in:
Pierre-Yves Chibon 2020-11-10 15:35:33 +01:00
parent a6a5686038
commit 1ef758c408
2 changed files with 22 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
roles/distgit/files/http_policy.te Normal file
View file

@ -0,0 +1,14 @@
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t git_content_t:dir search;
allow httpd_sys_script_t gitosis_var_lib_t:dir { getattr search };
allow httpd_sys_script_t self:capability { audit_write dac_read_search setgid setuid sys_resource };
allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay };
allow httpd_sys_script_t self:process setrlimit;
allow httpd_sys_script_t shadow_t:file { getattr open read };
#============= httpd_t ==============
allow httpd_t git_content_t:dir { add_name remove_name write };
allow httpd_t git_content_t:file { create rename setattr unlink write };
allow httpd_t gitosis_var_lib_t:dir { add_name create remove_name rmdir write };
allow httpd_t gitosis_var_lib_t:file { create link rename unlink write };

8
roles/distgit/tasks/main.yml
View file

@ -313,6 +313,14 @@
when: nfs_selinux_module is changed when: nfs_selinux_module is changed
tags: selinux tags: selinux
- name: Install another one of our own SELinux policy
run_once: true
include_role:
name: selinux/module
vars:
policy_file: files/http_policy.te
policy_name: http_policy
- name: setup grokmirror for repos - name: setup grokmirror for repos
package: name=python3-grokmirror state=installed package: name=python3-grokmirror state=installed
tags: tags: